Verifying certificates with CRL checking
CRL checking checks whether a certificate is in the CRL. If it is, the certificate has been revoked and its home entity is not trusted.
To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL repository in the following order:
CRL repository specified in the PKI domain by using the crl url command.
CRL repository in the certificate that is being verified.
CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA certificate is the certificate being verified.
If no CRL repository is found after the selection process, the device obtains the CRL through SCEP. In this scenario, the CA certificate and the local certificates must have been obtained.
When verifying the CA certificate of a PKI domain, the system needs to verify all the certificates in the CA certificate chain of the domain. To ensure a successful certificate verification process, the device must have all the PKI domains to which the CA certificates in the certificate chain belong.
Each CA certificate contains an issuer field that identifies the parent CA that issued the certificate. After identifying the parent certificate of a certificate, the system locates the PKI domains to which the parent certificate belongs. If CRL checking is enabled for the domains, the system checks whether or not the CA certificate has been revoked. The process continues until the root CA certificate is reached. The system verifies that each CA certificate in the certificate chain is issued by the named parent CA, starting from the root CA.
To verify certificates with CRL checking:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter PKI domain view. | pki domain domain-name | N/A |
3. (Optional.) Specify the URL of the CRL repository. | crl url url-string [ vpn-instance vpn-instance-name ] | By default, the URL of the CRL repository is not specified. |
4. Enable CRL checking. | crl check enable | By default, CRL checking is enabled. |
5. Return to system view. | quit | N/A |
6. Obtain the CA certificate. | See "Obtaining certificates." | N/A |
7. (Optional.) Obtain the CRL and save it locally. | pki retrieve-crl domain domain-name | The newly obtained CRL overwrites the old one, if any. The obtained CRL must be issued by a CA certificate in the CA certificate chain in the current domain. |
8. Manually verify the validity of the certificates. | pki validate-certificate domain domain-name { ca | local } | N/A |