No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Local Certificate Check

Configuring Local Certificate Check

Context

The PKI entity periodically validates the peer certificate, for example, whether the peer certificate expires and whether it is added to CRL. There are three ways to check certificate status: CRL, OCSP, and None.

  • CRL

    If the CA server can function as a CRL distribution point (CDP), the certificate issued by CA contains the CDP information about obtaining the certificate CRL. The PKI entity then uses the specified method (HTTP) to find out the CRL from the specified location and download the CRL.

    If the CDP URL is configured for a PKI entity, the PKI entity obtains the CRL from the specified URL. If the CA server cannot function as a CDP, the PKI entity uses SCEP to download the CRL.

    When the PKI entity authenticates the local certificate, the PKI entity searches for the certificate in the CRL stored in local memory. If the certificate is included in the CRL, it indicates that the certificate has been revoked. If no CRL is available in local memory, the CRL needs to be downloaded and installed.

  • OCSP

    When two PKI entities use certificates to perform IPSec negotiation, they check the peer certificate status through OCSP in real time.

    OCSP does not require the PKI entity frequently download CRL. When a PKI entity accesses an OCSP server, the entity requests the certificate status. The OCSP server replies with a valid, expired, or unknown state.

    • Valid indicates that the certificate has not been revoked.

    • Expired indicates that the certificate has been revoked.

    • Unknown indicates that the OCSP server does not know the certificate status.

  • None

    If no CRL or OCSP server is available to the PKI entity or the PKI entity does not need to check the local certificate status, this mode can be used. In this mode, the PKI entity does not check certificate revocation.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki realm realm-name

    A PKI realm is created and its view is displayed, or the view of an existing PKI realm is displayed.

    By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.

  3. Run certificate-check { { crl | ocsp } * [ none ] | none }

    The method to check whether certificate revocation is configured in the PKI realm.

    By default, the system checks using CRLs whether a certificate in the PKI realm is revoked.

    If multiple certificate status check methods are configured, these methods are used in the configuration sequence. The later method is used only when the previous method is unavailable because, for example, the server cannot be connected. If None is configured, a certificate is considered valid when all the previous methods are unavailable. For example, after the certificate-check crl none command is executed, the PKI entity uses CRL to check certificate status first. If the CRL method is unavailable, the certificate is considered valid.

  4. Select a method to check peer certificate status according to the service types provided by the CA:

Automatic CRL Update

  1. Run quit

    Return to the system view.

  2. (Optional) Run pki file-format { der | pem }

    The format of saved CRL is set.

    By default, CRL is saved in PEM format.

  3. Run pki realm realm-name

    The view of an existing PKI realm is displayed.

  4. Run crl auto-update enable

    Automatic CRL update is enabled.

    By default, automatic CRL update is enabled.

  5. Run crl update-period interval

    The interval for automatic CRL update is set.

    By default, the automatic CRL update interval is 8 hours.

  6. Select an automatic CRL update method according to the service types provided by the CA.

    • SCEP

      1. Run crl scep

        The CRL is automatically updated using SCEP.

        By default, CRL is automatically updated using HTTP.

      2. Run cdp-url [ esc ] url-addr

        The CDP URL is configured

        By default, no CDP URL is configured.

    • HTTP

      1. Run crl http

        The CRL is automatically updated using HTTP.

        By default, CRL is automatically updated using HTTP.

      2. Run cdp-url [ esc ] url-addr

        The CDP URL is configured.

        Or run cdp-url from-ca

        The device is configured to obtain CDP URL from the CA certificate.

        By default, no CDP URL is configured.

  7. Run crl cache

    The PKI realm is allowed to use the CRL in cache.

    By default, the PKI realm is allowed to use cached CRLs.

  8. (Optional) Update the CRL immediately.

    1. Run quit

      Return to the system view.

    2. Run pki get-crl realm realm-name

      The CRL is immediately updated.

      After this command is executed, the new CRL replaces the old CRL in the storage, and is automatically imported to the memory to replace the old one.

Manual CRL Update

  1. Run quit

    Return to the system view.

  2. (Optional) Run pki file-format { der | pem }

    The format of saved CRL is set.

    By default, CRL is saved in PEM format.

  3. Run pki http [ esc ] url-address save-name

    The CRL using HTTP is downloaded.

    The value of url-address must contain the certificate file name plus the file name extension, for example, http://10.1.1.1:8080/cert.cer. If url-address specifies a domain name, ensure that the domain name can be resolved.

  4. Run pki import-crl realm realm-name filename file-name

    The CRL is imported to the memory.

OCSP

  1. (Optional) Run source interface interface-type interface-number

    The source interface for TCP connection is specified.

    By default, the source interface of a TCP connection is the egress interface.

    The source interface must be a Layer 3 interface with an IP address configured.

  2. Run ocsp url [ esc ] url-address

    The OCSP server's URL is configured.

    Or run ocsp-url from-ca

    The device is configured to obtain OCSP server's URL from the CA certificate's AIA option.

    By default, an OCSP server does not have a URL address.

  3. (Optional) Run ocsp nonce enable

    The nonce extension is added to the OCSP requests sent by the PKI entity.

    By default, the OCSP requests sent by the PKI entity contain the nonce extension.

    The nonce extension improves security and reliability for communication between the PKI entity and OCSP server. The content of a nonce extension is randomly generated by the system. The response packets sent by the OCSP server may contain or not contain the nonce extension. If the response packets contain a nonce extension, it must be the same as that configured for OCSP requests.

  4. (Optional) Run ocsp signature enable

    Signature for OCSP requests is enabled.

    By default, signature for OCSP requests is disabled.

    This command is required when the OCSP server requests signature for OCSP requests.

  5. Run quit

    Return to the system view.

  6. Run pki import-certificate ocsp realm realm-name { der | pkcs12 | pem } [ filename filename ]

    Or run pki import-certificate ocsp realm realm-name pkcs12 filename filename password password

    The OCSP server certificate is imported to memory.

  7. Run pki ocsp response cache enable

    The OCSP response cache function is enabled.

    By default, the OCSP response cache function is disabled.

    After this command is executed, the PKI entity searches the cache first in checking the certificate status using OCSP. If the cache searching fails, the PKI entity sends a request to the OCSP server. In addition, the PKI entity caches valid OCSP responses for next search.

    An OCSP response has a validity period. After the OCSP response cache function is enabled, the PKI entity updates cached OCSP responses every one minute and deletes the expired responses.

  8. (Optional) Run pki ocsp response cache number number

    The maximum number of OCSP responses in the cache is set.

    By default, a PKI entity can cache 2 OCSP responses.

  9. (Optional) Run pki ocsp response cache refresh interval interval

    The interval at which the PKI entity updates the OCSP response cache is set.

    By default, the PKI entity updates the OCSP response cache every five minutes.

Follow-up Procedure

  • If you want to copy an OCSP server certificate from the local device to another device, run the pki export-certificate ocsp realm realm-name { pem | pkcs12 } command to export the certificate file to the local device memory first, and then transfer the certificate file to another device using a file transferring protocol.

  • To delete an expired or unused OCSP server certificate from memory, run the pki delete-certificate ocsp realm realm-name command.

  • To delete an expired or unused CRL from memory, run the pki delete-crl realm realm-name command.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178177

Views: 233831

Downloads: 756

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next