4000 Router Series Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

191

192

193

194

195

196

197

198

199

200

185

The trusted CA's finger print is:

MD5 fingerprint:5C41 E657 A0D6 ECB4 6BD6 1823 7473 AABC

SHA1 fingerprint:1616 E7A5 D89A 2A99 9419 1C12 D696 8228 87BC C266

Is the finger print correct?(Y/N):y

# Obtain the local certificates from the certificate distribution server.

<Sysname> system-view

[Sysname] pki retrieve-certificate domain aaa local

# Obtain the certificate of the peer entity en1 from the certificate distribution server.

<Sysname> system-view

[Sysname] pki retrieve-certificate domain aaa peer en1

Related commands

• display pki certificate

• pki delete-certificate

pki retrieve-crl

Use pki retrieve-crl to obtain CRLs and save them locally.

Syntax

pki retrieve-crl domain domain-name

Views

System view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. The

domain name cannot contain the following special characters: tilde (~), asterisk (*), back slash (\),

vertical bar (|), colon (:), dot (.), left angle bracket (<), right angle bracket (>), quotation marks ("), and

apostrophe (').

Usage guidelines

CRLs are used to verify the validity of the local certificates and the peer certificates in a PKI domain. To

obtain CRLs, a PKI domain must have the proper CA certificate.

The device can obtain CRLs from the CRL repository through the HTTP, LDAP, or SCEP protocol. Which

protocol is used depends on the configuration of the CRL repository in the PKI domain:

• If the specified URL of the CRL repository is in HTTP format, the device obtains CRLs through the

HTTP protocol.

• If the specified URL of the CRL repository is in LDAP format, the device obtains CRLs through the

LDAP protocol. If the specified URL (by using the crl url command) does not have a host name, for

example, ldap:///CN=8088,OU=test,U=rd,C=cn, you must specify the URL of the LDAP server for

the PKI domain by using the ldap server command. In this case, the device combines the URL of the

LDAP server and the URL of the CRL repository to form a complete URL of the LDAP repository to

obtain CRLs through the LDAP protocol.