certificate-check
Function
The certificate-check command sets the method of checking whether a certificate in the PKI realm is revoked.
The undo certificate-check command cancels the method of checking whether a certificate in the PKI realm is revoked.
By default, the system checks using CRLs whether a certificate in the PKI realm is revoked.
Parameters
| Parameter | Description | Value |
|---|---|---|
| crl | Sets the check method to Certificate Revocation List (CRL). |
- |
| ocsp | Sets the check method to Online Certificate Status Protocol (OCSP). |
- |
| none | Indicates that the system does not check whether a certificate is revoked. |
- |
Usage Guidelines
After this command is executed, the PKI entity validates the peer certificate, for example, whether the peer certificate has expired and whether it is added to CRL.
The system supports the following methods to check whether a certificate in the PKI realm is revoked:
CRL
If the CA server can function as a CDP, the certificate issued by CA contains the CDP information about obtaining the certificate CRL. The PKI entity then uses the specified method (HTTP) to find the CRL from the specified location and download the CRL. If the CDP URL is configured in the PKI realm, the PKI entity obtains the CRL from the specified URL.
- If the CA does not support CDPs and no CDP URL is configured on the PKI entity, the PKI entity uses the SCEP protocol to obtain the CRL.
OCSP
The PKI entity can use OCSP to check certificate status online, and you do not need to frequently download CRLs.
When two PKI entities use certificates to perform IPSec negotiation, they check the peer certificate status through OCSP in real time.
None
This mode is used when no CRL or OCSP server is available to the PKI entity or the PKI entity does not need to check the peer certificate status. In this mode, the PKI entity does not check whether a certificate has been revoked.
Select the following configurations:
- If the certificate-check crl command is configured for a certificate, the CRL mode is used.
- If the certificate-check ocsp command is configured for a certificate, the OCSP mode is used.
- If the certificate-check crl none command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the certificate is regarded as valid.
- If the certificate-check ocsp none command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the certificate is regarded as valid.
- If the certificate-check crl ocsp command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the OCSP mode is used. If the OCSP mode is unavailable, the certificate is regarded as invalid.
- If the certificate-check ocsp crl command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the CRL mode is used. If the CRL mode is unavailable, the certificate is regarded as invalid.
- If the certificate-check crl ocsp none command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the OCSP mode is used. If the OCSP mode is unavailable, the certificate is regarded as valid.
- If the certificate-check ocsp crl none command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the CRL mode is used. If the CRL mode is unavailable, the certificate is regarded as valid.
- If the certificate-check none command is configured for a certificate, the certificate is regarded as valid.
Precautions
After the certificate-check crl command is configured, if the device does not have the CRL file, the device fails the certificate verification, and the certificate becomes invalid.
It is not recommended that the none parameter be specified in thecertificate-check command, because such a configuration poses security risks.
