No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Local Certificate Check

Configuring Local Certificate Check

Context

The PKI entity periodically validates the peer certificate, for example, whether the peer certificate expires and whether it is added to CRL. There are three ways to check certificate status: CRL and None.

  • CRL

    If the CA server can function as a CRL distribution point (CDP), the certificate issued by CA contains the CDP information about obtaining the certificate CRL. The PKI entity then uses the specified method (HTTP) to find out the CRL from the specified location and download the CRL.

    If the CDP URL is configured for a PKI entity, the PKI entity obtains the CRL from the specified URL. If the CA server cannot function as a CDP, the PKI entity uses SCEP to download the CRL.

    When the PKI entity authenticates the local certificate, the PKI entity searches for the certificate in the CRL stored in local memory. If the certificate is included in the CRL, it indicates that the certificate has been revoked. If no CRL is available in local memory, the CRL needs to be downloaded and installed.

  • None

    If no CRL is available to the PKI entity or the PKI entity does not need to check the local certificate status, this mode can be used. In this mode, the PKI entity does not check certificate revocation.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run pki realm realm-name

    A PKI realm is created and its view is displayed, or the view of an existing PKI realm is displayed.

    By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.

  3. Run certificate-check { crl [ none ] | none }

    The method to check whether certificate revocation is configured in the PKI realm.

    By default, the system checks using CRLs whether a certificate in the PKI realm is revoked.

    If multiple certificate status check methods are configured, these methods are used in the configuration sequence. The later method is used only when the previous method is unavailable because, for example, the server cannot be connected. If None is configured, a certificate is considered valid when all the previous methods are unavailable. For example, after the certificate-check crl none command is executed, the PKI entity uses CRL to check certificate status first. If the CRL method is unavailable, the certificate is considered valid.

  4. Select a method to check peer certificate status according to the service types provided by the CA:

Automatic CRL Update

  1. Run quit

    Return to the system view.

  2. (Optional) Run pki file-format { der | pem }

    The format of saved CRL is set.

    By default, CRL is saved in PEM format.

  3. Run pki realm realm-name

    The view of an existing PKI realm is displayed.

  4. Run crl auto-update enable

    Automatic CRL update is enabled.

    By default, automatic CRL update is enabled.

  5. Run crl update-period interval

    The interval for automatic CRL update is set.

    By default, the automatic CRL update interval is 8 hours.

  6. Select an automatic CRL update method according to the service types provided by the CA.

    • SCEP

      1. Run crl scep

        The CRL is automatically updated using SCEP.

        By default, CRL is automatically updated using HTTP.

      2. Run cdp-url [ esc ] url-addr

        The CDP URL is configured

        By default, no CDP URL is configured.

    • HTTP

      1. Run crl http

        The CRL is automatically updated using HTTP.

        By default, CRL is automatically updated using HTTP.

      2. Run cdp-url [ esc ] url-addr

        The CDP URL is configured.

        Or run cdp-url from-ca

        The device is configured to obtain CDP URL from the CA certificate.

        By default, no CDP URL is configured.

  7. Run crl cache

    The PKI realm is allowed to use the CRL in cache.

    By default, the PKI realm is allowed to use cached CRLs.

  8. (Optional) Update the CRL immediately.

    1. Run quit

      Return to the system view.

    2. Run pki get-crl realm realm-name

      The CRL is immediately updated.

      After this command is executed, the new CRL replaces the old CRL in the storage, and is automatically imported to the memory to replace the old one.

Manual CRL Update

  1. Run quit

    Return to the system view.

  2. (Optional) Run pki file-format { der | pem }

    The format of saved CRL is set.

    By default, CRL is saved in PEM format.

  3. Run pki http [ esc ] url-address save-name

    The CRL using HTTP is downloaded.

    The value of url-address must contain the certificate file name plus the file name extension, for example, http://10.1.1.1:8080/cert.cer. If url-address specifies a domain name, ensure that the domain name can be resolved.

  4. Run pki import-crl realm realm-name filename file-name

    The CRL is imported to the memory.

Follow-up Procedure

  • To delete an expired or unused CRL from memory, run the pki delete-crl realm realm-name command.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 142184

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next