Verifying pki certificates without crl checking, Destroying a local rsa key pair, Deleting a certificate – H3C Technologies H3C SecPath F1000-E User Manual

Page 323

Advertising
background image

311

NOTE:

The CRL update period defines the interval at which the entity downloads CRLs from the CRL server. The
CRL update period setting manually configured on the device is prior to that carried in the CRLs.

The pki retrieval-crl domain command cannot be saved in the configuration file.

The URL of the CRL distribution point does not support domain name resolution.

Verifying PKI certificates without CRL checking

To configure CRL-checking-disabled PKI certificate verification:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter PKI domain view.

pki domain domain-name N/A

3.

Disable CRL checking.

crl check disable

Enabled by default

4.

Return to system view.

quit

N/A

5.

Retrieve the CA certificate.

See "

Retrieving a certificate

manually

"

N/A

6.

Verify the validity of the

certificate.

pki validate-certificate { ca | local }
domain domain-name

N/A

Destroying a local RSA key pair

A certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificate

is about to expire, you can destroy the old RSA key pair and then create a pair to request a new

certificate.
To destroy a local RSA key pair:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Destroy a local RSA
key pair.

public-key local destroy rsa

For more information about this command, see
VPN Command Reference.

Deleting a certificate

When a certificate requested manually is about to expire or you want to request a new certificate, you
can delete the current local certificate or CA certificate.
To delete a certificate:

Step Command

1.

Enter system view.

system-view

2.

Delete certificates.

pki delete-certificate { ca | local } domain domain-name

Advertising