ssl verify enable

Function

The ssl verify enable command enables digital certificate verification.

The undo ssl verify enable command disables digital certificate verification.

By default, digital certificate verification is disabled.

Format

ssl verify basic-constrain enable

ssl verify version cert-version3 enable

ssl verify version crl-version2 enable

ssl verify key-usage enable

undo ssl verify basic-constrain enable

undo ssl verify version cert-version3 enable

undo ssl verify version crl-version2 enable

undo ssl verify key-usage enable

Parameters

Parameter Description Value
version

Indicates the basic constraint fields of a digital certificate.

-
cert-version3

Indicates the X.509v3 digital certificate.

-
crl-version2

Indicates the X.509v2 certificate revocation list (CRL).

-
key-usage

Indicates the extended key usage field of a digital certificate.

-
basic-constrain

Indicates the basic constraint fields of a digital certificate.

-

Views

SSL policy view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
ssl write

Usage Guidelines

Usage Scenario

  • Verifying a digital certificate and its path validity can avoid invalid digital certificates and improve security.
  • To enable check on whether the local and peer digital certificates are the X.509v3 version, run the ssl verify version cert-version3 enable command.
  • To enable check on whether the local CRL is the X.509v2 version, run the ssl verify version crl-version2 enable command.
  • To enable verification on the extended key usage field of the peer digital certificate, run the ssl verify key-usage enable command. If the field does not exist, verification is not performed. OIDs to be verified: When the local end functions as a client, the system checks whether the field in the digital certificate sent from the server contains SSL server (id-kp 1, OID 1.3.6.1.5.5.7.3.1). When the local end functions as a server, the system checks whether the field in the digital certificate sent from the client contains SSL client (id-kp 2, OID 1.3.6.1.5.5.7.3.2).
  • To enable verification on the basic constraint fields of the CA certificate sent from the peer end, run the ssl verify basic-constrain enable command. The command output helps determine whether the entity type is CA. If no basic constraint field exists, verification fails.

Prerequisites

An SSL policy has been created using the ssl policy command.

Precautions

  • If a file fails version verification, a verification failure message and the file name are displayed. The file must be uninstalled so that the verification can succeed.
  • After version verification is enabled, only files meeting requirements can be loaded. If the device attempts to load files that do not meet requirements, a loading failure message is displayed.
  • Verification on the peer digital certificate takes effect only after peer verification is enabled for the service to which the SSL policy is bound. If peer verification

is not enabled for the local service, the peer digital certificate is checked only when the ssl verify version cert-version3 enable command is run and the local end functions as a client. The ssl verify key-usage enable or ssl verify basic-constrain enable command does not take effect.

Example

# Enable verification on the basic constraint fields of a digital certificate.
<HUAWEI> system-view
[~HUAWEI] ssl policy abc
[*HUAWEI-ssl-policy-abc] ssl verify basic-constrain enable
Parent Topic: SSL Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >