R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
152
NOTE:
• The CRL update period defines the interval at which the entity downloads CRLs from the CRL server. The
CRL update period setting manually configured on the device is prior to that carried in the CRLs.
• The pki retrieval-crl domain command cannot be saved in the configuration file.
• The URL of the CRL distribution point does not support domain name resolution.
Configuring CRL-checking-disabled PKI certificate verification
Follow these steps to configure CRL-checking-disabled PKI certificate verification:
To do… Use the command…
Remarks
Enter system view system-view —
Enter PKI domain view pki domain domain-name —
Disable CRL checking crl check disable
Required
Enabled by default
Return to system view quit —
Retrieve the CA certificate
See “Retrieving a certificate
manually“
Required
Verify the validity of the
certificate
pki validate-certificate { ca |
local } domain domain-name
Required
Destroying a local RSA or DSA key pair
A certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificate
is about to expire, you can destroy the old RSA or DSA key pair and then create a pair to request a new
certificate.
Follow these steps to destroy a local RSA key pair:
To do… Use the command…
Remarks
Enter system view system-view —
Destroy a local RSA or DSA
key pair
public-key local destroy { dsa |
rsa }
Required
NOTE:
For more information about the public-key local destroy command, see
VPN Command Reference
.
Deleting a certificate
When a certificate requested manually is about to expire or you want to request a new certificate, you
can delete the current local certificate or CA certificate.
Follow these steps to delete a certificate:
To do… Use the command…
Remarks
Enter system view system-view —