Manualshelf

R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
151152153154155156157158159160
151
CAUTION:
If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This
restriction helps avoid inconsistency between the certificate and registration information resulted from
configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to
delete the existing CA certificate and the local certificate first.
The pki retrieval-certificate configuration will not be saved in the configuration file.
Be sure that the device system time falls in the validity period of the certificate so that the certificate is
valid.
Configuring PKI certificate verification
A certificate needs to be verified before being used. Verifying a certificate will check that the certificate
is signed by the CA and that the certificate has neither expired nor been revoked.
You can specify whether CRL checking is required in certificate verification. If you enable CRL checking,
CRLs will be used in verification of a certificate. In this case, be sure to retrieve the CA certificate and
CRLs to the local device before the certificate verification. If you disable CRL checking, you only need to
retrieve the CA certificate.
Configuring CRL-checking-enabled PKI certificate verification
Follow these steps to configure CRL-checking-enabled PKI certificate verification:
To do… Use the command…
Remarks
Enter system view system-view
Enter PKI domain view pki domain domain-name
Specify the URL of the CRL
distribution point
crl url url-string
Optional
No CRL distribution point URL is specified
by default.
Set the CRL update period crl update-period hours
Optional
By default, the CRL update period depends
on the next update field in the CRL file.
Enable CRL checking crl check enable
Optional
Enabled by default
Return to system view quit
Retrieve the CA certificate
See “Retrieving a certificate
manually
Required
Retrieve CRLs
pki retrieval-crl domain
domain-name
Required
Verify the validity of a
certificate
pki validate-certificate { ca |
local } domain domain-name
Required