pki validate-certificate

Use pki validate-certificate to verify the validity of certificates.

Syntax

pki validate-certificate domain domain-name { ca | local }

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 37.

Table 37: Special characters

Character name	Symbol	Character name	Symbol
Tilde	~	Dot	.
Asterisk	*	Left angle bracket	<
Backslash	\	Right angle bracket	>
Vertical bar	\|	Quotation marks	"
Colon	:	Apostrophe	'

ca: Specifies the CA certificate.

local: Specifies the local certificates.

Usage guidelines

Generally, certificates are automatically verified when you request, obtain, or import them, or when an application uses PKI.

You can also use this command to manually verify a certificate in the following aspects:

Whether the certificate is issued by a trusted CA.
Whether the certificate has expired.
Whether the certificate is revoked. This check is performed only if CRL checking is enabled.

When CRL checking is enabled:

To verify the local certificates, if the PKI domain has no CRLs, the device looks up the locally saved CRLs. If a correct CRL is found, the device loads the CRL to the PKI domain. If no correct CRL is found locally, the device obtains a correct CRL from the CA server and saves it locally.
To verify the CA certificate, CRL checking is performed for the CA certificate chain from the current CA to the root CA.

Examples

# Verify the validity of the CA certificate in PKI domain aaa.

<Sysname> system-view
[Sysname] pki validate-certificate domain aaa ca
Verifying certificate......
        Serial Number:
            f6:3c:15:31:fe:bb:ec:94:dc:3d:b9:3a:d9:07:70:e5
        Issuer:
            C=cn
            O=ccc
            OU=ppp
            CN=rootca
        Subject:
            C=cn
            O=abc
            OU=test
            CN=aca

Verify result: OK
Verifying certificate......
        Serial Number:
            5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6
        Issuer:
            C=cn
            O=ccc
            OU=ppp
            CN=rootca
        Subject:
            C=cn
            O=ccc
            OU=ppp
            CN=rootca

Verify result: OK

# Verify the local certificates in PKI domain aaa.

<Sysname> system-view
[Sysname] pki validate-certificate domain aaa local
Verifying certificate......
        Serial Number:
            bc:05:70:1f:0e:da:0d:10:16:1e
        Issuer:
            C=CN
            O=sec
            OU=software
            CN=bca
        Subject:
            O=OpenCA Labs
            OU=Users
            CN=fips fips-sec

Verify result: OK

Related commands

crl check

pki domain

prev	up	next
pki storage	home	public-key dsa