certificate-check

After this command is executed, the PKI entity validates the peer certificate, for example, whether the peer certificate has expired and whether it is added to CRL. In this case, you can run the certificate-check command to check the peer certificate status.

The system supports the following methods to check whether a certificate in the PKI realm is revoked:

• CRL

  • If the CA server can function as a CDP, the certificate issued by CA contains the CDP information about obtaining the certificate CRL. The PKI entity then uses the specified method (HTTP) to find the CRL from the specified location and download the CRL. If the CDP URL is configured in the PKI realm, the PKI entity obtains the CRL from the specified URL.

  • If the CA does not support CDPs and no CDP URL is configured on the PKI entity, the PKI entity uses the SCEP protocol to obtain the CRL.

• OCSP

  The PKI entity can use OCSP to check certificate status online, and you do not need to frequently download CRLs.

  When two PKI entities use certificates to perform IPSec negotiation, they check the peer certificate status through OCSP in real time.

• None

  This mode is used when no CRL or OCSP server is available to the PKI entity or the PKI entity does not need to check the peer certificate status. In this mode, the PKI entity does not check whether a certificate has been revoked.

Select the following configurations:

• If the certificate-check crl command is configured for a certificate, the CRL mode is used.
• If the certificate-check ocsp command is configured for a certificate, the OCSP mode is used.
• If the certificate-check crl none command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the certificate is regarded as valid.
• If the certificate-check ocsp none command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the certificate is regarded as valid.
• If the certificate-check crl ocsp command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the OCSP mode is used. If the OCSP mode is unavailable, the certificate is regarded as invalid.
• If the certificate-check ocsp crl command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the CRL mode is used. If the CRL mode is unavailable, the certificate is regarded as invalid.
• If the certificate-check crl ocsp none command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the OCSP mode is used. If the OCSP mode is unavailable, the certificate is regarded as valid.
• If the certificate-check ocsp crl none command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the CRL mode is used. If the CRL mode is unavailable, the certificate is regarded as valid.
• If the certificate-check none command is configured for a certificate, the certificate is regarded as valid.

Precautions

After the certificate-check crl command is configured, if the device does not have the CRL file, the device fails the certificate verification, and the certificate becomes invalid.

It is not recommended that the none parameter be specified in the certificate-check command, because such a configuration poses security risks.