Verifying the Certificates

This section describes how to verify the certificates on the local and peer devices.

Prerequisites

Context

If IPsec negotiation that is implemented using certificates fails between two devices, run the pki validate-certificate command to check the signature and validity period of certificates for fault locating.

If the CRL check function has been enabled (for detailed configuration, see Step 1 in Configuring the CRL Function), the system checks whether the serial number of the peer device's certificate is listed in the CRL and then verify the signature and validity period information.

The device automatically checks the validity of all installed local certificates and CA certificates periodically. The default check period is 5 minutes. If a fault is detected, an alarm is generated. For certificate validity check, the default expiration pre-warning period is 90 days. That is, an alarm is generated 90 days before the certificate expires, prompting a user to prepare to obtain a new certificate in advance.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Manually verify certificates.

    The pki validate-certificate ca command verifies only root CA certificates but not subordinate certificates. If a NetEngine 8000 F device imports multiple CA certificates, run the pki validate-certificate local command to verify subordinate certificates.

    If an imported CA file contains multiple certificates, only the first certificate is verified.

  3. (Optional) Run pki set-certificate check-period period-value

    The automatic certificate validity check interval is configured.

  4. (Optional) Run pki set-certificate expire-prewarning prewarning-days

    The pre-warning time for certificate expiration is configured.

  5. Run commit

    The configuration is committed.

Parent Topic: Configuring Certificate Validity Check
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic