certificate-check

Usage Scenario

After this command is executed, the PKI entity validates the peer certificate, for example, whether the peer certificate has expired and whether it is added to CRL.

The system supports the following methods to check whether a certificate in the PKI realm is revoked:

• CRL

  The PKI entity supports the following methods to download CRL.

  • SCEP: This is the default method to obtain CRL. If you need to obtain CRLs in a batch, this method is not recommended.

  • HTTP: If the CA server can function as a CDP, the CA certificate contains CDP information, which describes how the CRL is obtained. The PKI entity then uses the specified method (HTTP) to find the CRL from the specified location and download the CRL. You can also manually configure a CDP URL.

  • LDAP and LDAPv3 templates: A PKI entity inserts the LDAP server attributes and identity into the CRL query packet, and sends the packet to the LDAP server to obtain the CRL.

• OCSP

  The PKI entity can use OCSP to check certificate status online, and you do not need to frequently download CRLs.

  When two PKI entities use certificates to perform IPSec negotiation, they check the peer certificate status through OCSP in real time.

• None

  This mode is used when no CRL or OCSP server is available to the PKI entity or the PKI entity does not need to check the peer certificate status. In this mode, the PKI entity does not check whether a certificate has been revoked.

Select the following configurations:

• If the certificate-check crl command is configured for a certificate, the CRL mode is used.
• If the certificate-check ocsp command is configured for a certificate, the OCSP mode is used.
• If the certificate-check crl none command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the certificate is regarded as valid.
• If the certificate-check ocsp none command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the certificate is regarded as valid.
• If the certificate-check crl ocsp command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the OCSP mode is used. If the OCSP mode is unavailable, the certificate is regarded as invalid.
• If the certificate-check ocsp crl command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the CRL mode is used. If the CRL mode is unavailable, the certificate is regarded as invalid.
• If the certificate-check crl ocsp none command is configured for a certificate, the CRL mode is used first. If the CRL mode is unavailable, the OCSP mode is used. If the OCSP mode is unavailable, the certificate is regarded as valid.
• If the certificate-check ocsp crl none command is configured for a certificate, the OCSP mode is used first. If the OCSP mode is unavailable, the CRL mode is used. If the CRL mode is unavailable, the certificate is regarded as valid.
• If the certificate-check none command is configured for a certificate, the certificate is regarded as valid.

Precautions

If this command is not executed in a PKI realm, the global certificate check method takes effect. The global certificate check method is configured by the pki crl check enable or undo pki crl check enable command in the system view.

The device can use the method configured in the PKI realm to check certificate status only after the PKI realm is associated with a certain CA using the ca-name command.

After the certificate-check crl command is configured, if the device does not have the CRL file, the device fails the certificate verification, and the certificate becomes invalid.