R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

221

222

223

224

225

226

227

228

229

230

213

2. CRL repository in the certificate to be verified.

3. CRL repository in the CA certificate, or CRL repository CRL in the upper-level CA certificate if the

CA certificate is the certificate to be verified.

After the previous selection process, if the CRL repository is not found, the device obtains the CRL through

SCEP. To use SCEP to obtain the CRL, the CA certificate and the local certificates must have been

obtained.

When verifying the CA certificate of a PKI domain, the system needs to verify all the certificates in the CA

certificate chain of the domain. As a result, the device must contain all the PKI domains to which the CA

certificates in the certificate chain belong.

Each CA certificate contains an issuer field that identifies the parent CA that issued the certificate. After

identifying the parent certificate of a certificate, the system locates the PKI domains to which the parent

certificate belongs. If CRL checking is enabled for the domains, the system checks whether or not the CA

certificate has been revoked. The process continues until the root CA certificate is reached. The system

verifies that each CA certificate in the certificate chain is issued by the named parent CA, starting from

the root CA.

To verify certificates with CRL checking:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter PKI domain view.

pki domain domain-name N/A

3. (Optional.) Specify the URL of

the CRL repository.

crl url url-string [ vpn-instance

vpn-instance-name ]

By default, the URL of the CRL

repository is not specified.

4. Enable CRL checking.

crl check enable By default, CRL checking is enabled.

5. Return to system view.

quit N/A

6. Obtain the CA certificate.

See "Obtaining certificates." N/A

7. (Optional.) Obtain the CRL

and save it locally.

pki retrieve-crl domain

domain-name

The newly obtained CRL overwrites

the old one, if any.

The obtained CRL must be issued by

a CA certificate in the CA certificate

chain in the current domain.

8. Verify the validity of the

certificates.

pki validate-certificate domain

domain-name { ca | local }

N/A

Verifying certificates without CRL checking

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter PKI domain view.

pki domain domain-name N/A

3. Disable CRL checking.

undo crl check enable

By default, CRL checking is

enabled.