A certificate whitelist contains common names (CNs) in the certificate subjects of base stations.
In an LTE scenario, the device establishes IPSec tunnels with multiple base stations using certificate negotiation. The certificate whitelist is defined to facilitate unified management of base station certificates, determining the base stations allowed to establish IPSec tunnels with the device. After PKI certificate whitelist check is enabled, the local device checks whether the CN in the certificate subject of the remote device carried in the received certificate authentication packet matches that in the local certificate whitelist. If they are different, authentication fails and an IPSec tunnel cannot be established between the two devices.
To make PKI certificate whitelist check take effect, import certificate whitelist files to the device.
Run the display pki whitelist { all | filename file-name } command to check the content of certificate whitelist files on the device.
Run the pki validate-certificate whitelist enable command to enable PKI certificate whitelist check.