R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101
95
To do… Use the command…
Remarks
Set the CRL update period crl update-period hours
Optional
By default, the CRL update period
depends on the next update field in
the CRL file.
Enable CRL checking crl check enable
Optional
Enabled by default
Return to system view quit —
Retrieve the CA certificate See “Retrieving a certificate manually” Required
Retrieve CRLs pki retrieval-crl domain domain-name Required
Verify the validity of a
certificate
pki validate-certificate { ca | local }
domain domain-name
Required
Configuring CRL-checking-disabled PKI certificate verification
Follow these steps to configure CRL-checking-disabled PKI certificate verification:
To do… Use the command…
Remarks
Enter system view system-view —
Enter PKI domain view pki domain domain-name —
Disable CRL checking crl check disable
Required
Enabled by default
Return to system view quit —
Retrieve the CA certificate
See “Retrieving a certificate
manually”
Required
Verify the validity of the certificate
pki validate-certificate { ca | local }
domain domain-name
Required
NOTE:
• The CRL update period refers to the interval at which the entity downloads CRLs from the CRL server. The
CRL update period configured manually is prior to that specified in the CRLs.
• The pki retrieval-crl domain configuration will not be saved in the configuration file.
• The URL of the CRL distribution point does not support domain name resolving.
Destroying a local RSA key pair
A certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificate
is about to expire, you can destroy the old RSA key pair and then create a pair to request a new
certificate.
Follow these steps to destroy a local RSA key pair:
To do… Use the command…
Remarks
Enter system view system-view —
Destroy a local RSA key pair public-key local destroy rsa Required