crl url
Use crl url to specify the URL of the CRL repository.
Use undo crl url to restore the default.
Syntax
crl url url-string [ vpn-instance vpn-instance-name ]
undo crl url
Default
The URL of the CRL repository is not specified.
Views
PKI domain view
Predefined user roles
network-admin
mdc-admin
Parameters
url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 511 characters. The URL format is ldap://server_location or http://server_location. The URL length is restricted by the CLI string limitation or the url-string parameter, whichever is smaller.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the CRL repository is on the public network, do not specify this option.
Usage guidelines
To use CRL checking, a CRL must be obtained from a CRL repository.
The device selects a CRL repository in the following order:
CRL repository specified in the PKI domain by using this command.
CRL repository in the certificate that is being verified.
CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA certificate is the certificate being verified.
After the previous selection process, if the CRL repository is not found, the device obtains the CRL through SCEP. In this scenario, the CA certificate and the local certificates must have been obtained.
If an LDAP URL is specified, the device must connect to the LDAP server to obtain the CRL. If the LDAP URL does not contain the address of the LDAP server, use the ldap-server command to configure the server address in the PKI domain.
Examples
# Set the URL of the CRL repository to http://169.254.0.30.
<Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] crl url http://169.254.0.30
# Set the URL of the CRL repository to ldap://169.254.0.30 in MPLS L3VPN instance vpn1.
<Sysname> system-view [Sysname] pki domain 1 [Sysname-pki-domain-1] crl url ldap://169.254.0.30 vpn-instance vpn1
Related commands
ldap-server
pki retrieve-crl