4000 Router Series Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP MSR2003 AC Router

191

192

193

194

195

196

197

198

199

200

187

<Sysname> system-view

[Sysname] pki storage certificates flash:/pki-new

# Specifies pki-new as the storage path for the CRLs.

<Sysname> system-view

[Sysname] pki storage crls pki-new

pki validate-certificate

Use pki validate-certificate to verify the validity of certificates.

Syntax

pki validate-certificate domain domain-name { ca | local }

Views

System view

Predefined user roles

network-admin

Parameters

domain domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.

The domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\),

vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and

apostrophe (').

ca: Specifies the CA certificate.

local: Specifies the local certificates.

Usage guidelines

Generally, certificates are automatically verified when you request, obtain, or import them, or when an

application uses PKI. You can also use this command to manually verify a certificate to see whether it is

issued by a trusted CA, whether it expires, and whether it is revoked if CRL checking is enabled.

When CRL checking is enabled:

• To verify the local certificates, if the PKI domain has no CRLs, the device looks up the locally save

CRLs. If a proper CRL is found, the device loads the CRL to the PKI domain. Otherwise, the device

obtains the proper CRL from the CA server and saves it locally.

• To verify the CA certificate, CRL checking is performed for the CA certificate chain from the current

CA to the root CA.

Examples

# Verify the validity of the CA certificate in the PKI domain aaa.

<Sysname> system-view

[Sysname] pki validate-certificate domain aaa ca

Verifying certificate......

Serial Number:

f6:3c:15:31:fe:bb:ec:94:dc:3d:b9:3a:d9:07:70:e5

Issuer:

C=cn

O=ccc

OU=ppp