R3303-HP HSR6800 Routers Security Configuration Guide
227
Ste
p
Command
Remarks
5. Enable CRL checking.
crl check enable
Optional.
Enabled by default.
6. Return to system view.
quit N/A
7. Obtain the CA certificate.
See "Obtaining certificates" N/A
8. Obtain the CRLs.
pki retrieval-crl domain
domain-name
N/A
This command is not saved in the
configuration file.
9. Verify the validity of a
certificate.
pki validate-certificate { ca | local }
domain domain-name
N/A
Verifying PKI certificates without CRL checking
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter PKI domain view.
pki domain domain-name N/A
3. Disable CRL checking.
crl check disable Enabled by default.
4. Return to system view.
quit N/A
5. Obtain the CA certificate.
See "Obtaining certificates" N/A
6. Verify the validity of the
certificate.
pki validate-certificate { ca | local }
domain domain-name
N/A
Destroying the local RSA key pair
A certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificate
is about to expire, you can destroy the old RSA key pair and then create a pair to request a new
certificate.
To destroy the local RSA key pair:
Ste
p
Command
1. Enter system view.
system-view
2. Destroy a local RSA key pair.
public-key local destroy rsa
Removing a certificate
When a certificate requested manually is about to expire or you want to request a new certificate, you
can delete the current local certificate or CA certificate.
To remove a certificate: