pki whitelist enable

Usage Scenario

In LTE scenarios, a security gateway and base stations use certificates to negotiate IPsec tunnels. The PKI whitelist on the security gateway can be used to uniformly manage certificates of base stations. If PKI whitelist check is enabled on the security gateway using the pki whitelist enable command, the common names in the certificate subjects of base stations must be imported to the security gateway's PKI whitelist for certificate verification of the base stations.

Configuration Impact

After PKI whitelist check is enabled for an IKE peer using the pki whitelist enable command and the IKE peer receives certificate authentication packets from a remote device, the IKE peer checks whether the common names in the remote certificate subjects match the PKI whitelist. If not, the authentication fails.

After PKI whitelist check is disabled from an IKE peer using the pki whitelist disable command and the IKE peer receives certificate authentication packets from a remote device, the IKE peer does not check whether the common names in the remote certificate subjects match the PKI whitelist.

Precautions

The common names are case-sensitive.

The changes in the PKI whitelist check status of an IKE peer do not affect IPsec tunnels that have been established.

If the pki whitelist enable or pki whitelist disable command has been run in the IKE peer view, the configuration in the IKE peer view takes effect, regardless of whether global PKI whitelist check is enabled.