< Home

pki validate-certificate whitelist enable

Function

The pki validate-certificate whitelist enable command enables PKI certificate whitelist check.

The undo pki validate-certificate whitelist enable command disables PKI certificate whitelist check.

By default, PKI certificate whitelist check is disabled.

The virtual system does not support this command.

Format

pki validate-certificate whitelist enable

undo pki validate-certificate whitelist enable

Parameters

None

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In an LTE scenario, the device establishes IPSec tunnels with multiple base stations using certificate negotiation. The certificate whitelist function is developed to facilitate unified management of base station certificates, determining the base stations allowed to establish IPSec tunnels with the device.

A certificate whitelist contains common names (CNs) in the certificate subjects of base stations. After PKI certificate whitelist check is enabled, the local device checks whether the CN in the certificate subject of the remote device carried in the received certificate authentication packet matches that in the local certificate whitelist. If they are different, authentication fails and an IPSec tunnel cannot be established between the two devices.

Precautions

The certificate whitelist file has been imported to the device memory by using the pki import whitelist command. Otherwise, PKI certificate whitelist check fails, causing authentication failure.

Example

# Enable PKI certificate whitelist check.

<sysname> system-view
[sysname] ike peer peer1
[sysname-ike-peer-peer1] pki validate-certificate whitelist enable
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >