HP VPN Firewall Appliances VPN Configuration Guide
293
Verifying PKI certificates
A certificate needs to be verified before being used. Verifying a certificate will check that the certificate
is signed by the CA and that the certificate has neither expired nor been revoked.
You can specify whether CRL checking is required in certificate verification. If you enable CRL checking,
CRLs will be used in verification of a certificate. In this case, be sure to retrieve the CA certificate and
CRLs to the local device before the certificate verification. If you disable CRL checking, you only need to
retrieve the CA certificate.
The CRL update period defines the interval at which the entity downloads CRLs from the CRL server. The
CRL update period setting manually configured on the device is prior to that carried in the CRLs.
Verifying PKI certificates with CRL checking
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter PKI domain view.
pki domain domain-name N/A
3. Specify the URL of the CRL
distribution point.
crl url url-string
Optional.
No CRL distribution point URL is
specified by default.
4. Set the CRL update period.
crl update-period hours
Optional.
By default, the CRL update period
depends on the next update field in
the CRL file.
5. Enable CRL checking.
crl check enable
Optional.
Enabled by default.
6. Return to system view.
quit N/A
7. Retrieve the CA certificate.
See "Retrieving a certificate
manually"
N/A
8. Retrieve the CRLs.
pki retrieval-crl domain
domain-name
N/A
This command is not saved in the
configuration file.
9. Verify the validity of a
certificate.
pki validate-certificate { ca | local }
domain domain-name
N/A
Verifying PKI certificates without CRL checking
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter PKI domain view.
pki domain domain-name N/A
3. Disable CRL checking.
crl check disable Enabled by default.
4. Return to system view.
quit N/A
5. Retrieve the CA certificate.
See "Retrieving a certificate
manually"
N/A