z If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This isin order to avoid inconsistency between the certificate and registration information due to relatedconfiguration changes. To retrieve a new CA certificate, use the pki delete-certificate commandto delete the existing CA certificate and local certificate first.z The pki retrieval-certificate configuration will not be saved in the configuration file.Configuring PKI Certificate VerificationA certificate needs to be verified before being used. Verifying a certificate is to check that the certificateis signed by the CA and that the certificate has neither expired nor been revoked.Before verifying a certificate, you need to retrieve the CA certificate.You can specify whether CRL checking is required in certificate verification. If you enable CRL checking,CRLs will be used in verification of a certificate.Configuring CRL-checking-enabled PKI certificate verificationFollow these steps to configure CRL-checking-enabled PKI certificate verification:To do… Use the command… RemarksEnter system view system-view —Enter PKI domain view pki domain domain-name —Specify the URL of the CRLdistribution point crl url url-stringOptionalNo CRL distribution point URLis specified by default.Set the CRL update period crl update-period hours Optional0 by defaultEnable CRL checking undo crl check disable OptionalEnabled by defaultReturn to system view quit —Retrieve the CA certificate Refer to Retrieving a CertificateManually RequiredRetrieve CRLs pki retrieval-crl domaindomain-name RequiredVerify the validity of a certificate pki validate-certificate { ca |local } domain domain-name RequiredConfiguring CRL-checking-disabled PKI certificate verificationFollow these steps to configure CRL-checking-disabled PKI certificate verification:To do… Use the command… RemarksEnter system view system-view —73-10