135• To import a local certificate containing an encrypted key pair, you must provide the challengepassword. Contact the CA server administrator, if necessary.Configuration guidelines• If a CA certificate already exists locally, you cannot obtain it again in online mode. To obtain a newone, use pki delete-certificate to remove the CA certificate and local certificates, and then obtainthe CA certificate.• If a PKI domain already has local or peer certificates, you can still perform the obtain operation,and the obtained local or peer certificates overwrite the existing ones. If RSA is used, a PKI domaincan have two local certificates, one for signature and the other for encryption.• If CRL checking is enabled, CRL checking is triggered when you obtain a certificate. If the certificateto be obtained has been revoked, the certificate cannot be obtained.• The device compares the validity period of a certificate with the local system time to determinewhether the certificate is valid. Make sure the system time of the device is synchronized with the CAserver.Configuration procedureTo obtain certificates:Step Command Remarks1. Enter system view. system-view N/A2. Import or obtain certificates.• Import certificates in offline mode:pki import domain domain-name { der { ca |local | peer } filename filename | p12 localfilename filename | pem { ca | local | peer }[ filename filename ] }• Obtain certificates in online mode:pki retrieve-certificate domaindomain-name { ca | local | peerentity-name }The pkiretrieve-certificatecommand is not savedin the configurationfile.Verifying PKI certificatesEvery time a certificate is requested or obtained, or used by an application, it is automatically verified.If the certificate expires, is not issued by a trusted CA, or is revoked, the certificate is not used.You can also manually verify a certificate. If it is revoked, the certificate cannot be requested or obtained.Verifying certificates with CRL checkingCRL checking checks whether a certificate is in the CRL. If yes, the certificate has been revoked and itshome entity is not trusted.To use CRL checking, a CRL must be obtained from a CRL repository. The device selects a CRL repositoryin the following order: CRL repository specified in the PKI domain, the CRL repository in the localcertificates, the CRL repository in the CA certificate, and the CRL obtained through SCEP.