R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

101

102

103

104

105

106

107

108

109

110

Retrieving a certificate manually

You can download an existing CA certificate, local certificate, or peer entity certificate from the CA

server and save it locally. To do so, you can use two ways: online and offline. In offline mode, you need

to retrieve a certificate by an out-of-band means like FTP, disk, email and then import it into the local PKI

system.

Certificate retrieval serves two purposes:

• Locally store the certificates associated with the local security domain for improved query efficiency

and reduced query count,

• Prepare for certificate verification.

Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.

Follow these steps to retrieve a certificate manually:

To do… Use the command…

Remarks

Enter system view system-view —

Retrieve a

certificate

manually

Online pki retrieval-certificate { ca | local } domain domain-name

Required

Use either

command.

Offline

pki import-certificate { ca | local } domain domain-name { der

| p12 | pem } [ filename filename ]

CAUTION:

• If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This is in

order to avoid inconsistency between the certificate and registration information due to related

configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to

delete the existing CA certificate and local certificate first.

• The pki retrieval-certificate configuration will not be saved in the configuration file.

Configuring PKI certificate verification

A certificate needs to be verified before being used. Verifying a certificate is to check that the certificate

is signed by the CA and that the certificate has neither expired nor been revoked.

Before verifying a certificate, you need to retrieve the CA certificate.

You can specify whether CRL checking is required in certificate verification. If you enable CRL checking,

CRLs will be used in verification of a certificate.

Configuring CRL-checking-enabled PKI certificate verification

Follow these steps to configure CRL-checking-enabled PKI certificate verification:

To do… Use the command…

Remarks

Enter system view system-view —

Enter PKI domain view pki domain domain-name —

Specify the URL of the CRL

distribution point

crl url url-string

Optional

No CRL distribution point URL is

specified by default.