Before a certificate is used, it must be authenticated. In a certificate, the issuing date, issuer information, and certificate validity need to be authenticated. The key to authenticate a certificate is to check the signature of CA and check whether the certificate is expired or revoked.
In certificate authentication, the local device must obtain the peer certificate and the following information: CA certificate, CRL, local certificate and its private key, and certificate authentication information.
The local device authenticates a local certificate as follows:
Uses the public key of the CA certificate to authenticate its signature.
To authenticate a certificate, a PKI entity must obtain the public key of the CA that issued the certificate from the CA's certificate, so that the PKI entity can check the signature of the CA on the certificate. An upper-level CA authenticates the certificates of lower-level CAs. The authentication is performed along the certificate chain, and terminated at the trustpoint (the root CA holding a self-signed certificate or a subordinate CA trusted by the PKI entity).
PKI entities sharing the same root or subordinate CA and having CA certificates can authenticate certificates of each other (peer certificates). Authentication of a peer certificate chain ends at the first trusted certificate or CA.
In a word, certificate chain authentication starts at an entities certificate and ends at a trustpoint.
Checks whether the certificate has expired.
Checks whether the certificate has been revoked in CRL or None mode.
To check validity of the CA and local certificates of the local device, perform the following steps.
The system view is displayed.
The validity of a CA or local certificate is checked.
The pki validate-certificate ca command allows you to verify only the validity of the root CA certificate, but not subordinate CA certificates. When multiple CA certificates are imported on a device, you can use only the pki validate-certificate local command to verify the validity of subordinate CA certificates.