Operation Manual – PKIH3C S5500-EI Series Ethernet Switches Chapter 1 PKI Configuration1-11To do… Use the command… RemarksEnter system view system-view —Online pki retrieval-certificate { ca |local } domain domain-nameRetrieve acertificatemanually Offlinepki import-certificate { ca | local }domain domain-name { der | p12 |pem } [ filename filename ]RequiredUse eithercommandCaution:z If a PKI domain has already a CA certificate, you cannot retrieve another CAcertificate for it. This is in order to avoid inconsistency between the certificate andenrollment information due to related configuration changes. To retrieve a new CAcertificate, use the pki delete-certificate command to delete the existing CAcertificate and local certificate first.z The pki retrieval-certificate configuration will not be saved in the configuration file.1.7 Configuring PKI Certificate ValidationA certificate needs to be validated before being used. Validating a certificate is to checkthat the certificate is signed by the CA and that the certificate has neither expired norbeen revoked.Before validating a certificate, you need to retrieve the CA certificate.You can specify whether CRL checking is required in certificate validation. If you enableCRL checking, CRLs will be used in validation of a certificate.I. Configuring CRL-checking-enabled PKI certificate validationFollow these steps to configure CRL-checking-enabled PKI certificate validation:To do… Use the command… RemarksEnter system view system-view —Enter PKI domain view pki domaindomain-name —Specify the URL of theCRL distribution point crl url url-stringOptionalNo CRL distribution pointURL is specified bydefault.