1-11To do… Use the command… RemarksEnter system view system-view —Enter PKI domain view pki domain domain-name —Disable CRL checking crl check disable RequiredEnabled by defaultReturn to system view quit —Retrieve the CA certificate Refer to Retrieving a CertificateManually RequiredVerify the validity of thecertificatepki validate-certificate { ca | local }domain domain-name Requiredz The CRL update period refers to the interval at which the entity downloads CRLs from the CRLserver. The CRL update period configured manually is prior to that specified in the CRLs.z The pki retrieval-crl domain configuration will not be saved in the configuration file.z Currently, the URL of the CRL distribution point does not support domain name resolving.Destroying a Local RSA Key PairA certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificateis about to expire, you can destroy the old RSA key pair and then create a pair to request a newcertificate.Follow these steps to destroy a local RSA key pair:To do… Use the command… RemarksEnter system view system-view —Destroy a local RSA key pair public-key local destroy rsa RequiredFor details about the public-key local destroy command, refer to Public Key Commands in theSecurity Volume.Deleting a CertificateWhen a certificate requested manually is about to expire or you want to request a new certificate, youcan delete the current local certificate or CA certificate.Follow these steps to delete a certificate: