136To use SCEP to obtain the CRL, the CA certificate and the local certificates must be present.To verify certificates with CRL checking:Step Command Remarks1. Enter system view. system-view N/A2. Enter PKI domain view. pki domain domain-name N/A3. (Optional.) Specify the URLof the CRL repository.crl url url-string [ vpn-instancevpn-instance-name ]By default, the URL of the CRLrepository is not specified.4. Enable CRL checking. crl check enable By default, CRL checking is enabled.5. Return to system view. quit N/A6. Obtain the CA certificate. See "Obtaining certificates." N/A7. (Optional.) Obtain the CRLand save it locally.pki retrieve-crl domaindomain-nameThe newly obtained CRL overwritesthe old one, if any.The obtained CRL must be issued bya CA certificate in the CA certificatechain in the current domain.8. Verify the validity of thecertificates.pki validate-certificate domaindomain-name { ca | local } N/AVerifying certificates without CRL checkingStep Command Remarks1. Enter system view. system-view N/A2. Enter PKI domain view. pki domain domain-name N/A3. Disable CRL checking. undo crl check enable By default, CRL checking isenabled.4. Return to system view. quit N/A5. Obtain the CA certificate. See "Obtaining certificates." N/A6. Verify the validity of thecertificates.pki validate-certificate domaindomain-name { ca | local }This command is not saved in theconfiguration file.Specifying the storage path for the certificates andCRLs