Monitoring and Clearing Digital Certificates

Purpose

You can issue various forms of the show security pki command to view digital certificates and certificate requests and certificate revocation lists:

Action

• To display the CA digital certificate, issue the show security pki ca-certificate ca-profile ca-profile-name command.

• To display the local digital certificate and the public key used to enroll the certificate, issue the show security pki local-certificate certificate-id certificate-id-name command.

• To display the local certificate request in PKCS-10 format, issue the show security pki certificate-request certificate-id certificate-id-name command.

• You can also view which digital certificates are used in IKE negotiations to establish tunnels by issuing the show services ipsec-vpn certificates command.

• To display the certificate revocation list, issue the show security pki crl ca-profile ca-profile-name command.

• To determine if a certificate is enabled for automatic-reenrollment, issue the show security pki command.

Purpose

Variations of the clear security pki command enable you to delete certificates or requests and certificate revocation lists:

Action

• To delete the CA digital certificate, issue the clear security pki ca-certificate ca-profile ca-profile-name command.

• To delete the local digital certificate and the associated private/public key pair, issue the clear security pki local-certificate certificate-id certificate-id-name command.

• To delete the local certificate request, issue the clear security pki certificate-request certificate-id certificate-id-name command.

• To clear the digital certificates that were used in IKE negotiations to establish tunnels, issue the clear services ipsec-vpn certificates command.

• To delete the certificate revocation list, issue the clear security pki crl ca-profile ca-profile-name command.