495Predefined user rolesnetwork-adminParametersdomain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.The domain name cannot contain the special characters listed in Table 74.Table 74 Special charactersCharacter name Symbol Character name SymbolTilde ~ Dot .Asterisk * Left angle bracket <Backslash \ Right angle bracket >Vertical bar | Quotation marks "Colon : Apostrophe 'Usage guidelinesCRLs are used to verify the validity of the local certificates and the peer certificates in a PKI domain.To obtain CRLs, a PKI domain must have the correct CA certificate.The URL of the CRL repository is specified by using the crl url command.The device can obtain CRLs from the CRL repository through the HTTP, LDAP, or SCEP protocol.Which protocol is used depends on the configuration of the CRL repository in the PKI domain:• If the specified URL of the CRL repository is in HTTP format, the device obtains CRLs throughthe HTTP protocol.• If the specified URL of the CRL repository is in LDAP format, the device obtains CRLs throughthe LDAP protocol. If the specified URL does not have a host name, for example,ldap:///CN=8088,OU=test,U=rd,C=cn, you must specify the LDAP server's URL for the PKIdomain by using the ldap server command. The device can obtain the complete URL of theLDAP repository by combining the URLs of the LDAP server and of the CRL repository.• If the PKI domain is not configured with the CRL repository, the device looks up the localcertificates and then the CA certificate for the CRL repository. If a CRL repository is found, thedevice obtains CRLs from the CRL repository. If no CRL repository is found, the device obtainsCRLs through the SCEP protocol.Examples# Obtain CRLs from the CRL repository. system-view[Sysname] pki retrieve-crl domain aaaRelated commandscrl urlldap serverpki storageUse pki storage to specify the storage path for the certificates or CRLs.Use undo pki storage to restore the default.Syntaxpki storage { certificates | crls } dir-path