1-9z Prepare for certificate verification.Before retrieving a local certificate in online mode, be sure to complete LDAP server configuration.Follow these steps to retrieve a certificate manually:To do… Use the command… RemarksEnter system view system-view —Online pki retrieval-certificate { ca | local } domaindomain-nameRetrieve acertificatemanually Offlinepki import-certificate { ca | local } domaindomain-name { der | p12 | pem } [ filenamefilename ]RequiredUse either command.z If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This isin order to avoid inconsistency between the certificate and registration information due to relatedconfiguration changes. To retrieve a new CA certificate, use the pki delete-certificate commandto delete the existing CA certificate and local certificate first.z The pki retrieval-certificate configuration will not be saved in the configuration file.z Be sure that the device system time falls in the validity period of the certificate so that the certificateis valid.Configuring PKI Certificate VerificationA certificate needs to be verified before being used. Verifying a certificate is to check that the certificateis signed by the CA and that the certificate has neither expired nor been revoked.Before verifying a certificate, you need to retrieve the CA certificate.You can specify whether CRL checking is required in certificate verification. If you enable CRL checking,CRLs will be used in verification of a certificate.Configuring CRL-checking-enabled PKI certificate verificationFollow these steps to configure CRL-checking-enabled PKI certificate verification:To do… Use the command… RemarksEnter system view system-view —Enter PKI domain view pki domain domain-name —Specify the URL of the CRLdistribution point crl url url-stringOptionalNo CRL distribution point URL isspecified by default.Set the CRL update period crl update-period hoursOptionalBy default, the CRL update perioddepends on the next update field inthe CRL file.Enable CRL checking crl check enable OptionalEnabled by defaultReturn to system view quit —Retrieve the CA certificate Refer to Retrieving a Certificate Required