No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R010C00 Command Reference

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
certificate-check

certificate-check

Function

The certificate-check command sets the method of checking whether a certificate in the PKI realm is revoked.

The undo certificate-check command cancels the method of checking whether a certificate in the PKI realm is revoked.

By default, the system checks using CRLs whether a certificate in the PKI realm is revoked.

Format

certificate-check { { crl | ocsp } * [ none ] | none }

undo certificate-check

Parameters

Parameter Description Value
crl

Sets the check method to Certificate Revocation List (CRL).

-
ocsp

Sets the check method to Online Certificate Status Protocol (OCSP).

-
none

Indicates that the system does not check whether a certificate is revoked.

-

Views

PKI realm view

Default Level

2: Configuration level

Usage Guidelines

After this command is executed, the PKI entity validates the peer certificate, for example, whether the peer certificate has expired and whether it is added to CRL.

The system supports the following methods to check whether a certificate in the PKI realm is revoked:

  • CRL

    • If the CA server can function as a CDP, the certificate issued by CA contains the CDP information about obtaining the certificate CRL. The PKI entity then uses the specified method (HTTP) to find the CRL from the specified location and download the CRL. If the CDP URL is configured in the PKI realm, the PKI entity obtains the CRL from the specified URL.

    • If the CA does not support CDPs and no CDP URL is configured on the PKI entity, the PKI entity uses the SCEP protocol to obtain the CRL.
  • OCSP

    The PKI entity can use OCSP to check certificate status online, and you do not need to frequently download CRLs.

    When two PKI entities use certificates to perform IPSec negotiation, they check the peer certificate status through OCSP in real time.

  • None

    This mode is used when no CRL or OCSP server is available to the PKI entity or the PKI entity does not need to check the peer certificate status. In this mode, the PKI entity does not check whether a certificate has been revoked.

Select the following configurations:

  • If the certificate-check crl command is configured for a certificate, the CRL mode is used.
  • If the certificate-check ocsp command is configured for a certificate, the OCSP mode is used.
  • If the certificate-check crl none command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the certificate is regarded as valid.
  • If the certificate-check ocsp none command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the certificate is regarded as valid.
  • If the certificate-check crl ocsp command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the OCSP mode is used. If the OCSP mode is unavailable, the certificate is regarded as invalid.
  • If the certificate-check ocsp crl command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the CRL mode is used. If the CRL mode is unavailable, the certificate is regarded as invalid.
  • If the certificate-check crl ocsp none command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the OCSP mode is used. If the OCSP mode is unavailable, the certificate is regarded as valid.
  • If the certificate-check ocsp crl none command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the CRL mode is used. If the CRL mode is unavailable, the certificate is regarded as valid.
  • If the certificate-check none command is configured for a certificate, the certificate is regarded as valid.

Precautions

After the certificate-check crl command is configured, if the device does not have the CRL file, the device fails the certificate verification, and the certificate becomes invalid.

Example

# Set the certificate check method to crl none in PKI realm test. If the CRL mode is unavailable, the certificate is regarded as valid.

<Huawei> system-view
[Huawei] pki realm test 
[Huawei-pki-realm-test] certificate-check crl none
Translation
Download
Updated: 2019-11-21

Document ID: EDOC1100064352

Views: 196775

Downloads: 122

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next