No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


Certificate revocation refers to that the CA revokes a certificate when the certificate expires or becomes invalid. An entity certificate may be revoked in the following conditions:

  • Change of user information.
  • Disclosure of the user private key.
  • Disclosure of the CA private key
  • The entity certificate expires and the device needs a new one.
  • The security policy is changed, which poses a new requirement (a longer/shorter key) on the signature function. Therefore, a new public/private key pair, a new signature, and a new entity certificate are required.

When receiving the peer's certificate, the device needs to check whether the certificate is revoked by the CA. To ensure the validity of the peer's certificate, the most convenient way is to download the latest certificate from the peer and CA during each authentication. This method, however, is system-resource-consuming, and re-authentication delay may result in re-establishing the connection, which affects the communications between devices.

The problem can be solved in the following methods:

  • The CA saves the serial numbers of revoked certificates to the Certificate Revocation List (CRL).
  • The device caches the peer's certificate to the local and periodically downloads the CRL from the CA.
  • Since the peer' certificate is saved in the cache, to authenticate the peer, the device only needs to match the serial number of the certificate with that in the CRL. If the serial number is matched, the peer' certificate is revoked. In this case, the device requests the peer or CA for a certificate again. If the serial number is not matched, the peer's certificate is valid. Therefore, the certificate saved in the local cache can be used.

The device can update the CRL in the following methods:

  • Automatic update

    The device communicates with the CRL server through HTTP or LDAP, periodically sends update requests to the CRL server, and automatically downloads the CRL from the server.

  • Manual update

    The CRL can be downloaded from the CRL server through the manual execution of commands on the device.

Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12597

Downloads: 29

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next