The PKI entity periodically validates the peer certificate, for example, whether the peer certificate expires and whether it is added to CRL. There are three ways to check certificate status: CRL, OCSP, and None.
CRL
If the CA server can function as a CRL distribution point (CDP), the certificate issued by CA contains the CDP information about obtaining the certificate CRL. The PKI entity then uses the specified method (HTTP) to download the CRL from the specified location.
If the CDP URL is configured for a PKI entity, the PKI entity obtains the CRL from the specified URL. If the CA server cannot function as a CDP, the PKI entity uses SCEP to download the CRL.
When the PKI entity authenticates the local certificate, the PKI entity searches for the certificate in the CRL stored in local memory. If the certificate is included in the CRL, it indicates that the certificate has been revoked. If no CRL is available in local memory, the CRL needs to be downloaded and installed.
OCSP
When two PKI entities use certificates to perform IPSec negotiation, they check the peer certificate status through OCSP in real time.
OCSP does not require the PKI entity frequently download CRL. When a PKI entity accesses an OCSP server, the entity requests the certificate status. The OCSP server replies with a valid, expired, or unknown state.
Valid indicates that the certificate has not been revoked.
Expired indicates that the certificate has been revoked.
Unknown indicates that the OCSP server does not know the certificate status.
None
If no CRL or OCSP server is available to the PKI entity or the PKI entity does not need to check the local certificate status, this mode can be used. In this mode, the PKI entity does not check certificate revocation.
Run system-view
The system view is displayed.
Run pki realm realm-name
A PKI realm is created and its view is displayed, or the view of an existing PKI realm is displayed.
By default, the device has a PKI realm named default. This realm can only be modified but cannot be deleted.
Run certificate-check { { crl | ocsp } * [ none ] | none }
The method of checking whether a certificate in the PKI realm is revoked is configured.
By default, the system uses CRLs to check whether a certificate in the PKI realm is revoked.
If multiple certificate status check methods are configured, these methods are used in the configuration sequence. The later method is used only when the previous method is unavailable because, for example, the server cannot be connected. If None is configured, a certificate is considered valid when all the previous methods are unavailable. For example, after the certificate-check crl none command is executed, the PKI entity uses CRL to check certificate status first. If the CRL method is unavailable, the certificate is considered valid.
Select a method to check peer certificate status according to the service types provided by the CA:
Run quit
Return to the system view.
(Optional) Run pki file-format { der | pem }
The format of saved CRL is set.
By default, CRL is saved in PEM format.
Run pki realm realm-name
The view of an existing PKI realm is displayed.
Run crl auto-update enable
Automatic CRL update is enabled.
By default, automatic CRL update is enabled.
Run crl update-period interval
The interval for automatic CRL update is set.
By default, the automatic CRL update interval is 8 hours.
Select an automatic CRL update method according to the service types provided by the CA.
SCEP
Run crl scep
The CRL is automatically updated using SCEP.
By default, CRL is automatically updated using HTTP.
Run cdp-url [ esc ] url-addr
The CDP URL is configured.
By default, no CDP URL is configured.
HTTP
Run crl http
The CRL is automatically updated using HTTP.
By default, CRL is automatically updated using HTTP.
Run cdp-url [ esc ] url-addr
The CDP URL is configured.
Or run cdp-url from-ca
The device is configured to obtain CDP URL from the CA certificate.
By default, no CDP URL is configured.
Run crl cache
The PKI realm is allowed to use cached CRLs.
By default, the PKI realm is allowed to use cached CRLs.
(Optional) Update the CRL immediately.
Run quit
Return to the system view.
Run pki get-crl realm realm-name
The CRL is immediately updated.
After this command is executed, the new CRL replaces the old CRL in the storage, and is automatically imported to the memory to replace the old one.
Run quit
Return to the system view.
(Optional) Run pki file-format { der | pem }
The format of saved CRL is set.
By default, CRL is saved in PEM format.
Run pki http [ esc ] url-address save-name
The CRL is downloaded using HTTP.
The value of url-address must contain the certificate file name plus the file name extension, for example, http://10.1.1.1:8080/cert.cer. If url-address specifies a domain name, ensure that the domain name can be resolved.
Run pki import-crl realm realm-name filename file-name
The CRL is imported to the device memory.
(Optional) Run source interface { interface interface-type interface-number | ip-address }
The source interface for TCP connection setup is specified.
By default, the source interface of a TCP connection is the egress interface.
The source interface must be a Layer 3 interface with an IP address configured.
Run ocsp url [ esc ] url-address
The OCSP server's URL is configured.
Or run ocsp-url from-ca
The device is configured to obtain the OCSP server's URL from the CA certificate's AIA option.
By default, the URL of the OCSP server is not configured.
(Optional) Run ocsp nonce enable
The nonce extension is added to the OCSP requests sent by the PKI entity.
By default, the OCSP requests sent by the PKI entity contain the nonce extension.
The nonce extension improves security and reliability for communication between the PKI entity and OCSP server. The content of a nonce extension is randomly generated by the system. The response packets sent by the OCSP server may contain or not contain the nonce extension. If the response packets contain the nonce extension, it must be the same as that configured for OCSP requests.
(Optional) Run ocsp signature enable
The function of signing OCSP requests is enabled.
By default, the function of signing OCSP requests is disabled.
This command is required when the OCSP server requests signature for OCSP requests.
Run quit
Return to the system view.
Run pki import-certificate ocsp realm realm-name { der | pkcs12 | pem } [ filename filename ]
Or run pki import-certificate ocsp realm realm-name pkcs12 filename filename password password
The OCSP server certificate is imported to the device memory.
Run pki validate ocsp-server-certificate enable
The function that uses the OCSP server certificate to verify OCSP server packets is enabled.
By default, the function that uses the OCSP server certificate to verify OCSP server packets is enabled.
Run pki ocsp response cache enable
The PKI OCSP response cache function is enabled.
By default, the PKI OCSP response cache function is disabled.
After this command is executed, the PKI entity searches the cache first in checking the certificate status using OCSP. If the cache searching fails, the PKI entity sends a request to the OCSP server. In addition, the PKI entity caches valid OCSP responses for next search.
An OCSP response has a validity period. After the OCSP response cache function is enabled, the PKI entity updates cached OCSP responses every one minute and deletes the expired responses.
(Optional) Run pki ocsp response cache number number
The maximum number of OCSP responses that can be cached by a PKI entry is set.
By default, a PKI entity can cache 2 OCSP responses.
(Optional) Run pki ocsp response cache refresh interval interval
The interval at which the PKI entity refreshes the OCSP response cache is set.
By default, the PKI entity refreshes the OCSP response cache every 5 minutes.
If you want to copy an OCSP server certificate from the local device to another device, run the pki export-certificate ocsp realm realm-name { pem | pkcs12 } command to export the certificate file to the local device memory. The certificate file then can be obtained using a file transferring protocol.
To delete an expired or unused OCSP server certificate from memory, run the pki delete-certificate ocsp realm realm-name command.
To delete an expired or unused CRL from memory, run the pki delete-crl realm realm-name command.