3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide
Certificate Validation Configuration 197
When downloading a digital certificate, select the local keyword for a local
certificate and ca keyword for a CA certificate.
Perform the following configuration in system view.
c
CAUTION:
■ If a CA certificate already exists, you should delete it and all the local
certificates using the pki delete certificate command before retrieving
another one. Otherwise, inconsistency between the certificate and the
registered information may occur.
■ This operation will not be saved in the configuration.
Importing Certificates You can import existing certificate or CA certificate with the commands below.
Perform the following configuration in system view.
Deleting Certificates You can delete existing local certificate or CA certificate with the command below.
Perform the following configuration in system view.
Certificate Validation
Configuration
Configuration Task List At every stage of data communication, both parties should verify the validity of
corresponding certificates, including issue time, issuer and certificate validity. The
core is to verify the signature of CA and to make sure the certificate is still valid. It
is believed that CA never issues fake certificates, so every certificate with an
authentic CA signature will pass the verification. For example, if you receive an
Email, which contains a certificate with public key and is encrypted with private
key, then you should verify the validity of this certificate, to determine whether it is
valid and trustworthy.
For certificate validation, you need to:
Tab le 205 Retrieve a certificate
Operation Command
Retrieve a certificate and download it locally
pki retrieval-certificate { local | ca } domain
domain-name
Tab le 206 Import a certificate
Operation Command
Import a certificate
pki import-certificate { local | ca } domain
domain-name { der | p12 | pem } [ filename
filename ]
Tab le 207 Delete a certificate
Operation Command
Delete a certificate pki delete-certificate { local | ca } domain domain-name