Configuring Certificate Validity Check

To ensure communication security during IPsec negotiation, configure certificate validity check.

Context

When a certificate is obtained, an IPsec tunnel can be set up between two devices after the devices pass the identity verification during IPsec negotiation. To ensure communication security during IPsec negotiation, configure certificate validity check. A router supports CRL check, CA certificates, and local certificates.

Pre-configuration Tasks

Before configuring certificate validity check, complete the task of Obtaining Certificates.

Configuring the CRL Function: Configuring the CRL function consists of enabling CRL check and updating the CRL. After the CRL function is configured, a device checks the validity of the peer device's certificate. If the serial number of the peer device's certificate is listed in the CRL, the peer device's certificate has been revoked and is considered invalid.

Verifying the Certificates: This section describes how to verify the certificates on the local and peer devices.