R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
306
Ste
p
Command
Remarks
5. Enable CRL checking. crl check enable
Optional.
Enabled by default
6. Return to system view.
quit N/A
7. Retrieve the CA certificate.
See "Retrieving a certificate
manually"
N/A
8. Retrieve CRLs.
pki retrieval-crl domain
domain-name
N/A
9. Verify the validity of a
certificate.
pki validate-certificate { ca |
local } domain domain-name
N/A
NOTE:
• The CRL update period defines the interval at which the entity downloads CRLs from the CRL server. The
CRL update period setting manually configured on the device is prior to that carried in the CRLs.
• The pki retrieval-crl domain command cannot be saved in the configuration file.
• The URL of the CRL distribution point does not support domain name resolution.
Configuring CRL-checking-disabled PKI certificate verification
To configure CRL-checking-disabled PKI certificate verification:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter PKI domain view.
pki domain domain-name N/A
3. Disable CRL checking. crl check disable Enabled by default.
4. Return to system view.
quit N/A
5. Retrieve the CA certificate.
See "Retrieving a certificate manually" N/A
6. Verify the validity of the
certificate.
pki validate-certificate { ca | local } domain
domain-name
N/A
Destroying a local RSA key pair
A certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificate
is about to expire, you can destroy the old RSA key pair and then create a pair to request a new
certificate.
To destroy a local RSA key pair:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Destroy a local RSA key
pair.
public-key local destroy rsa
For more information about this command,
see VPN Command Reference.