No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Certificate Validity Check

Configuring Certificate Validity Check

To ensure communication security during IPsec negotiation, configure certificate validity check.

Context

When a certificate is obtained, an IPsec tunnel can be set up between two devices after the devices pass the identity verification during IPsec negotiation. To ensure communication security during IPsec negotiation, configure certificate validity check. A router supports CRL check, CA certificates, and local certificates.

Pre-configuration Tasks

Before configuring certificate validity check, complete the task of Obtaining Certificates.

Configuration Procedures

Figure 13-5 Configuring certificate validity check

Configuring the CRL Function

Configuring the CRL function consists of enabling CRL check and updating the CRL. After the CRL function is configured, a device checks the validity of the peer device's certificate. If the serial number of the peer device's certificate is listed in the CRL, the peer device's certificate has been revoked and is considered invalid.

Context

Before configuring the CRL function, be aware of the following information:

  • Enable CRL check.

    Before configuring CRL, enable CRL check.

    When a certificate is being verified after CRL check is enabled, the CRL is queried for checking whether it contains the serial number of the certificate. If the CRL contains the serial number of the certificate, the certificate has been revoked and considered invalid. For detailed configurations of verifying a certificate, see Verifying the Certificates.

  • Update the CRL.

    To ensure that the latest CRL is used, check the CRL status periodically and download the latest CRL from the CRL server using HTTP or LDAP.

    Updating the CRL consists of automatically updating the CRL and manually updating the CRL. Automatically updating the CRL can be implemented using HTTP or LDAP. After the specified interval elapses, the system automatically downloads the CRL using HTTP or LDAP. When the latest CRL is urgently required, manually update the CRL by downloading the CRL from the CRL server.

Procedure

  1. Enable CRL check.

    1. Run system-view

      The system view is displayed.

    2. Run pki crl check enable

      CRL check is enabled.

  2. Update the CRL.

    NOTE:

    When the system is configured to automatically update the CRL using HTTP or LDAP, note the following:

    • There is sufficient space in the CF card for the CRL file.

    Perform the following operations as needed.

    • Enable the function of automatically updating the CRL using HTTP.

      1. Run system-view

        The system view is displayed.

      2. Run pki domain domain-name

        The PKI domain view is displayed.

      3. Run crl auto-update enable

        The function of automatically updating the CRL is enabled.

      4. Run crl update-period interval

        An interval between two consecutive automatic CRL updates is configured.

      5. Run crl http

        The function of automatically updating the CRL using HTTP is enabled.

      6. Run crl url url-addr [ source source-ip-address ] [ vpn-instance vpn-instance-name ]

        The URL of the CRL is configured.

        This command can be executed only after the crl http command is run.

      7. Run commit

        The configuration is committed.

    • Enable the function of automatically updating the CRL using LDAP.

      1. Run system-view

        The system view is displayed.

      2. Run pki domain domain-name

        The PKI domain view is displayed.

      3. Run crl auto-update enable

        The function of automatically updating the CRL is enabled.

      4. Run crl update-period interval

        An interval between two consecutive automatic CRL updates is configured.

      5. Run crl ldap

        The function of automatically updating the CRL using LDAP is enabled.

      6. Run ldap-serverldap-server { authentication ldap-dn ldap-password | ip ldap-ip-address [ source source-ip-address ] { [ port port ] | [ version version ] } * }

        The LDAP server is configured.

        This command can be executed only after the crl ldap command is run.

      7. Run crl ldap [ attribute attr-value ] dn dn-value

        The identifier that a device uses to obtain a CRL from the LDAP server is specified.

        This command can be executed only after the crl ldap command is run.

      8. Run commit

        The configuration is committed.

    • Manually update the CRL.

      1. Perform the following operations as needed.

        • Run system-view

          The system view is displayed.

        • Run pki http url-addr save-name [ source source-ip-address ]

          The function of downloading the CRL using HTTP is enabled.

        • Run pki ldap ip ldap-ip-address [ source source-ip-address ] port port version version [ attribute attr-value ] [ authentication ldap-dn ldap-password ] save-name dn dn-value

          The function of downloading the CRL using LDAP is enabled.

      2. Run pki import-certificate crl filename file-name

        The CRL is imported.

      3. Run commit

        The configuration is committed.

Verifying the Certificates

This section describes how to verify the certificates on the local and peer devices.

Context

If IPsec negotiation that is implemented using certificates fails between two devices, run the pki validate-certificate command to check the signature and validity period of certificates for fault locating.

If the CRL check function has been enabled (for detailed configuration, see Step 1 in Configuring the CRL Function), the system checks whether the serial number of the peer device's certificate is listed in the CRL and then verify the signature and validity period information.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Manually verify certificates.

    NOTE:

    The pki validate-certificate ca command verifies only root CA certificates but not subordinate certificates. If a NE20E device imports multiple CA certificates, run the pki validate-certificate local command to verify subordinate certificates.

    If an imported CA file contains multiple certificates, only the first certificate is verified.

    • Run pki validate-certificate ca filename file-name

      The root certificate is verified.

    • Run pki validate-certificate local filename file-name

      The local certificate or subordinate certificate is verified.

  3. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 25524

Downloads: 52

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next