4000 Router Series Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

161

162

163

164

165

166

167

168

169

170

153

Views

PKI domain view

Predefined user roles

network-admin

Parameters

url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 511 characters in the

format of ldap://server_location or http://server_location, where server_location can be an IP address

or a domain name.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the CRL repository belongs, where

the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the CRL repository is on

the public network, do not specify this option.

Usage guidelines

CRL checking checks whether a certificate is in the CRL. If yes, the certificate has been revoked and its

home entity is not trusted.

To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL repository

in the following order: CRL repository specified in the PKI domain, the CRL repository in the local

certificates, the CRL repository in the CA certificate, and the CRL obtained through SCEP.

To use SCEP to obtain the CRL, the CA certificate and the local certificates must be present.

If an LDAP-format URL is specified but the URL does not carry the host name of the CRL repository, the

device can get the complete URL information according to the LDAP server address specified in the PKI

domain.

The actual length of the URL is restricted by the CLI or the url-string parameter, whichever is smaller.

Examples

# Specify the URL of the CRL repository as http://169.254.0.30.

<Sysname> system-view

[Sysname] pki domain aaa

[Sysname-pki-domain-aaa] crl url http://169.254.0.30

# Specify the URL of the CRL repository as ldap://169.254.0.30 in VPN instance vpn1.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] crl url ldap://169.254.0.30 vpn-instance vpn1

Related commands

• ldap-server

• pki retrieve-crl

display pki certificate access-control-policy

Use display pki certificate access-control-policy to display information about certificate access control

policies.

Syntax

display pki certificate access-control-policy [ policy-name ]