pki validate-certificate

Function

The pki validate-certificate command allows you to verify the validity of a CA certificate or a local certificate.

Format

pki validate-certificate { ca | local } { realm realm-name | filename file-name }

Parameters

Parameter	Description	Value
ca	Checks validity of the CA certificate.	-
local	Checks validity of the local certificate.	-
realm realm-name	Specifies the PKI realm name of a certificate to be checked.	The value must be an existing PKI realm name.
filename file-name	Specifies the file name of the certificate to be checked.	The value must be an existing certificate file name.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When an end entity verifies a peer certificate, it checks the status of the peer certificate. For example, the end entity checks whether the peer certificate has expired and whether the certificate is in a CRL.

To verify the validity of a CA certificate or a local certificate, run the pki validate-certificate command.

Prerequisites

A PKI realm has been configured using the pki realm (system view) command or the specified certificate files already exists on the device.

Precautions

The pki validate-certificate ca command allows you to verify only the root CA certificate, but not subordinate CA certificates. When multiple CA certificates are imported on a device, you can use only the pki validate-certificate local command to verify the validity of subordinate certificates.

Example

# Configure the device to check validity of the local certificate using CRL.

<sysname> system-view
[sysname] pki realm abc
[sysname-pki-realm-abc] certificate-check crl
[sysname-pki-realm-abc] quit
[sysname] pki validate-certificate local realm abc