No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Checking the CA and Local Certificates

Checking the CA and Local Certificates


Before a certificate is used, it must be authenticated. In a certificate, the issuing date, issuer information, and certificate validity need to be authenticated. The key to authenticate a certificate is to check the signature of CA and check whether the certificate is expired or revoked.

In certificate authentication, the local device must obtain the peer certificate and the following information: CA certificate, CRL, local certificate and its private key, and certificate authentication information.

The local device authenticates a local certificate as follows:

  1. Uses the public key of the CA certificate to authenticate its signature.

    To authenticate a certificate, a PKI entity must obtain the public key of the CA that issued the certificate from the CA's certificate, so that the PKI entity can check the signature of the CA on the certificate. An upper-level CA authenticates the certificates of lower-level CAs. The authentication is performed along the certificate chain, and terminated at the trustpoint (the root CA holding a self-signed certificate or a subordinate CA trusted by the PKI entity).

    PKI entities sharing the same root or subordinate CA and having CA certificates can authenticate certificates of each other (peer certificates). Authentication of a peer certificate chain ends at the first trusted certificate or CA.

    In a word, certificate chain authentication starts at an entities certificate and ends at a trustpoint.

  2. Checks whether the certificate has expired.

  3. Checks whether the certificate has been revoked in CRL or None mode.

To check validity of the CA and local certificates of the local device, perform the following steps.


  1. Run system-view

    The system view is displayed.

  2. Run pki validate-certificate { ca | local } realm realm-name

    The validity of CA or local certificate is checked.

    The pki validate-certificate ca command allows you to verify only the root CA certificate, but not subordinate CA certificates. When multiple CA certificates are imported on a device, you can use only the pki validate-certificate local command to verify the validity of subordinate certificates.

Updated: 2019-09-23

Document ID: EDOC1000178319

Views: 150365

Downloads: 82

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next