[x]

Configuring PKI > Verifying PKI certificates

 

 Next

Verifying PKI certificates

A certificate is automatically verified when it is requested, obtained, or used by an application. If the certificate expires, if it is not issued by a trusted CA, or if it is revoked, the certificate cannot be used.

You can also manually verify a certificate. If it has been revoked, the certificate cannot be requested or obtained.

When verifying the CA certificate of a PKI domain, the system needs to verify all the certificates in the CA certificate chain. To ensure a successful certificate verification process, the device must have all the PKI domains to which the CA certificates in the certificate chain belong.

The system verifies the CA certificates in the CA certificate chain as follows:

  1. Identifies the parent certificate of the lowest-level certificate.

    Each CA certificate contains an issuer field that identifies the parent CA that issued the certificate.

  2. Locates the PKI domain to which the parent certificate belongs.

  3. Performs CRL checking in the PKI domain to check whether the parent certificate has been revoked. If it has been revoked, the certificate cannot be used.

    This step will not be performed when CRL checking is disabled in the PKI domain.

  4. Repeats the previous steps for upper-level certificates in the CA certificate chain until the root CA certificate is reached.

  5. Verifies that each CA certificate in the certificate chain is issued by the named parent CA, starting from the root CA.

prev

 

up

 next

Configuration procedure 

home

 Verifying certificates with CRL checking

© Copyright 2016 Hewlett Packard Enterprise Development LP