pki retrieve-crl
Use pki retrieve-crl to obtain CRLs and save them locally.
Syntax
pki retrieve-crl domain domain-name
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 36.
Table 36: Special characters
Character name | Symbol | Character name | Symbol |
---|---|---|---|
Tilde | ~ | Dot | . |
Asterisk | * | Left angle bracket | < |
Backslash | \ | Right angle bracket | > |
Vertical bar | | | Quotation marks | " |
Colon | : | Apostrophe | ' |
Usage guidelines
CRLs are used to verify the validity of the local certificates and the peer certificates in a PKI domain. To obtain CRLs, a PKI domain must have the correct CA certificate.
The URL of the CRL repository is specified by using the crl url command.
The device can obtain CRLs from the CRL repository through the HTTP, LDAP, or SCEP protocol. Which protocol is used depends on the configuration of the CRL repository in the PKI domain:
If the specified URL of the CRL repository is in HTTP format, the device obtains CRLs through the HTTP protocol.
If the specified URL of the CRL repository is in LDAP format, the device obtains CRLs through the LDAP protocol. If the specified URL does not have a host name, for example, ldap:///CN=8088,OU=test,U=rd,C=cn, you must specify the LDAP server's URL for the PKI domain by using the ldap server command. The device can obtain the complete URL of the LDAP repository by combining the URLs of the LDAP server and of the CRL repository.
If the PKI domain is not configured with the CRL repository, the device looks up the local certificates and then the CA certificate for the CRL repository. If a CRL repository is found, the device obtains CRLs from the CRL repository. If no CRL repository is found, the device obtains CRLs through the SCEP protocol.
Examples
# Obtain CRLs from the CRL repository.
<Sysname> system-view [Sysname] pki retrieve-crl domain aaa
Related commands
crl url
ldap server