1-10z If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This isin order to avoid inconsistency between the certificate and registration information due to relatedconfiguration changes. To retrieve a new CA certificate, use the pki delete-certificate commandto delete the existing CA certificate and local certificate first.z The pki retrieval-certificate configuration will not be saved in the configuration file.Configuring PKI Certificate VerificationA certificate needs to be verified before being used. Verifying a certificate is to check that the certificateis signed by the CA and that the certificate has neither expired nor been revoked.Before verifying a certificate, you need to retrieve the CA certificate.You can specify whether CRL checking is required in certificate verification. If you enable CRL checking,CRLs will be used in verification of a certificate.Configuring CRL-checking-enabled PKI certificate verificationFollow these steps to configure CRL-checking-enabled PKI certificate verification:To do… Use the command… RemarksEnter system view system-view —Enter PKI domain view pki domain domain-name —Specify the URL of the CRLdistribution point crl url url-stringOptionalNo CRL distribution point URLis specified by default.Set the CRL update period crl update-period hoursOptionalBy default, the CRL updateperiod depends on the nextupdate field in the CRL file.Enable CRL checking crl check enable OptionalEnabled by defaultReturn to system view quit —Retrieve the CA certificate Refer to Retrieving a CertificateManually RequiredRetrieve CRLs pki retrieval-crl domaindomain-name RequiredVerify the validity of a certificate pki validate-certificate { ca |local } domain domain-name RequiredConfiguring CRL-checking-disabled PKI certificate verificationFollow these steps to configure CRL-checking-disabled PKI certificate verification: