R2511-HP MSR Router Series Security Configuration Guide(V5)
256
Ste
p
Command
Remarks
6. Return to system view.
quit N/A
7. Retrieve the CA certificate.
See "Retrieving a certificate
manually"
N/A
8. Retrieve the CRLs.
pki retrieval-crl domain
domain-name
N/A
This command is not saved in the
configuration file.
9. Verify the validity of a
certificate.
pki validate-certificate { ca | local }
domain domain-name
N/A
Verifying certificates without CRL checking
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter PKI domain view.
pki domain domain-name N/A
3. Disable CRL checking.
crl check disable Enabled by default.
4. Return to system view.
quit N/A
5. Retrieve the CA certificate.
See "Retrieving a certificate
manually"
N/A
6. Verify the validity of the
certificate.
pki validate-certificate { ca | local }
domain domain-name
N/A
Destroying the local RSA key pair
A certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificate
is about to expire, you can destroy the old RSA key pair and then create a pair to request a new
certificate.
To destroy the local RSA key pair:
Ste
p
Command
1. Enter system view.
system-view
2. Destroy a local RSA key pair.
public-key local destroy rsa
Deleting a certificate
When a certificate requested manually is about to expire or you want to request a new certificate, you
can delete the current local certificate or CA certificate.
To delete a certificate: