No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Checking Certificate Validity

Checking Certificate Validity


When an end entity needs to authenticate a peer, it checks the validity of the peer certificate. For example, when an end entity needs to set up a secure tunnel or connection with a peer, it verifies the peer certificate and issuer's certificate. If the certificate of a CA is invalid or has expired, all certificates issued by this CA are invalid. This invalidation seldom occurs because a device usually renews the CA/RA certificate before the certificate expires.

During certificate authentication, the local device must obtain the peer certificate and the following information: trusted CA certificate, CRL, local certificate and private key in the local certificate, and certificate authentication configuration.

The local device authenticates a certificate as follows:

  1. Uses the public key of the CA to verify the digital signature of the CA.
  2. Checks whether the certificate has expired.
  3. Checks whether the certificate has been revoked in CRL, OCSP, or None mode.


  1. Run:


    The system view is displayed.

  2. Run:

    pki validate-certificate { ca | local } pki-realm-name

    The CA certificate validity or local certificate validity is checked.

Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13136

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next