1.1 PKI Configuration Commands
Syntax
attribute id
{ alt-subject-name { fqdn | ip } | { issuer-name | subject-name
} { dn | fqdn | ip } } { ctn | equ | nctn
| nequ} attribute-value
undo attribute { id | all }
view
Certificate attribute group view
Parameter
Id: Serial
number of the certificate attribute, in the range 1 to 16.
alt-subject-name: Name of the alternative certificate subject.
issuer-name:
Name of the certificate issuer.
subject-name:
Name of the certificate subject.
dn: DN of
the entity.
fqdn: FQDN
of the entity.
ip: IP
address of the entity.
ctn: Contain
operation.
equ: Equal
operation.
nctn:
Not-contain operation.
nequ:
Not-equal operation.
attribute-value: Attribute value of the certificate, a case-insensitive string of 1
to 128 characters.
all: All the
certificate attributes.
Description
Use the attribute command to
configure the attribute of the certificate issuer name, certificate subject
name and alternative certificate subject name.
Use the undo attribute command to
delete the attribute of one or all of these certificate names.
There is no restriction on the issuer name,
the subject name and the alternative subject name of the certificate by
default.
Note that the attribute of the alternative
certificate subject name does not appear as a domain name, there is no dn
in the configuration.
Example
# Create a certificate attribute which
defines that the DN of the subject name includes a string of abc.
<Sysname> system-view
[Sysname] pki certificate attribute-group
mygroup
[Sysname-pki-cert-attribute-group-mygroup]
attribute 1 subject-name dn ctn abc
# Create a certificate attribute which
defines that the FQDN of the issuer name is not equal to the string abc.
[Sysname-pki-cert-attribute-group-mygroup]
attribute 2 issuer-name fqdn nequ abc
# Create a certificate attribute which defines
that the IP address of the alternative subject name is not equal to 10.0.0.1.
[Sysname-pki-cert-attribute-group-mygroup]
attribute 3 alt-subject-name ip nequ 10.0.0.1
Syntax
ca identifier name
undo ca identifier
View
PKI domain view
Parameter
name: Identifier
of the trusted CA, in a case-insensitive string of 1 to 63 characters
Description
Use the ca identifier command to
specify the trusted CA, and bind the device with CA name.
Use the undo ca identifier command
to remove the configuration.
By default, no trusted CA is specified.
The request, retrieval, revocation and query
of a certificate are all carried out by the trusted CA as long as the CA is not
deleted.
Example
# Specify the name of the trusted CA.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] ca identifier
new-ca
Syntax
certificate request entity entity-name
undo certificate
request entity
View
PKI domain view
Parameter
entity-name:
Name of the entity used for certificate request, in a case-insensitive string
of 1 to 15 characters.
Description
Use the certificate request entity
command to specify the name of the entity used for certificate request.
Use the undo certificate request entity
command to remove the configuration.
By default, no entity name is specified.
Related command: pki entity.
Example
# Specify to use entity1 for certificate
request.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request entity entity1
Syntax
certificate request from { ca | ra }
undo certificate request from
View
PKI domain view
Parameter
ca: Indicates
that the entity requests a certificate from CA.
ra: Indicates
that the entity requests a certificate from RA.
Description
Use the certificate request from command
to configure the registration authority (RA) for certificate request for the
entity.
Use the undo certificate request
from command to remove the configuration.
By default, no RA is specified.
Example
# Specify that the entity requests a
certificate from CA.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request
from ca
1.1.5 certificate request mode
Syntax
certificate request mode { auto [ key-length key-length |
password { cipher | simple } password ]*
| manual }
undo certificate request mode
View
PKI domain view
Parameter
auto: Specifies
to request a certificate in auto mode.
key-length:
Length of the RSA key, in the range 512 to 2048 bits. It is 1024 bits by
default.
cipher:
Specifies to display the password in cipher text.
simple:
Specifies to display the password in clear text.
password:
Password used for revoking a certificate, a case-sensitive string of 1 to 31
characters.
manual: Specifies
to request a certificate in manual mode.
Description
Use the certificate request mode
command to configure the certificate request mode.
Use the undo certificate request mode
command to restore it to the default request mode.
By default, certificate request is carried
out manually.
For auto mode, an entity automatically
requests a certificate from RA when it has not its own certificate. Furthermore,
the entity automatically requests a new one when the existing certificate is
about to expire. For manual mode, all the operations associated with
certificate request are carried out manually.
Related command: pki request-certificate.
Example
# Specify to request a certificate in auto
mode.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request
mode auto
Syntax
certificate request polling { count count | interval minutes }
undo certificate request polling { count | interval }
View
PKI domain view
Parameter
count: Polling
times, in the range 1 to 100.
minutes: Polling
period, in the range 5 to 168 minutes.
Description
Use the certificate request polling
command to specify the polling period and polling times for certificate request.
Use the undo certificate request polling command to restore it to the default parameters.
By default, polling is executed for 50
times at the interval of 20 minutes.
After an entity makes a certificate
request, if CA validates the request manually, it takes a long time to issue a
certificate. The entity therefore needs to periodically poll the request status
so that it can acquire the certificate as soon as CA issues a certificate.
Related command: display pki certificate.
Example
# Specify to execute polling for 40 times
at the interval of 15 minutes.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request
polling interval 15
[Sysname-pki-domain-1] certificate request
polling count 40
Syntax
certificate request url url-string
undo certificate request url
View
PKI domain view
Parameter
url-string: RA
server URL, in a case-insensitive string of 1 to 127 characters, including the
location of RA server and the location of CA CGI command interface script in
the format of http: //server_location/ca_script_location, where server_location
is generally expressed by IP address.
Description
Use the certificate request url
command to specify the URL of the RA server that the device makes a certificate
request through SCEP protocol.
Use the undo certificate request url
command to remove the configuration.
By default, no URL is specified.
Example
# Specify the URL of RA server.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request
url
http://169.254.0.100/certsrv/mscep/mscep.dll
Syntax
common-name name
undo common-name
View
PKI entity view
Parameter
name: Common
name of an entity, in a case-insensitive string of 1 to 31 characters.
Description
Use the common-name command to configure
the common name of an entity, such as the user name
Use the undo common-name command to remove
the configuration.
By default, no common name is specified.
Example
# Configure the common name of an entity as
test.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] common-name
test
Syntax
country country-code-str
undo country
View
PKI entity view
Parameter
country-code-str: 2-character country code.
Description
Use the country command to specify
the code of the country to which an entity belongs. It is a standard 2-character
code, e.g., CN for China.
Use the undo country command to remove
the configuration.
By default, no country code is specified.
Example
# Set the country code of an entity to CN.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] country CN
Syntax
crl check { disable
| enable }
View
PKI domain view
Parameter
disable: Specifies to disable CRL checking.
enable: Specifies to enable CRL checking.
Description
Use the crl check command to enable
or disable CRL checking.
By default, CRL checking is enabled.
CRL (Certificate Revocation Lists) is a
file issued by CA to indicate that some certificate is revoked. The revocation
may occur before the expiration of the period of the certificate validity.
Example
# Disable CRL checking.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl check disable
Syntax
crl update-period hours
undo crl update-period
View
PKI domain view
Parameter
hours:
Update period, in the range 1 to 720 hours.
Description
Use the crl update-period command to
specify the update period of CRL.
Use the undo crl update-period
command to restore it to the default value.
By default, CRL update period depends on
the next update domain in the CRL file.
The CRL update period is the interval at
which a PKI entity with a certificate downloads a CRL from LDAP server.
Example
# Set the CRL update period to 20 hours.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl update-period
20
Syntax
crl url url-string
undo crl url
View
PKI domain view
Parameter
url-string: URL
of CRL distribution point, in a case-insensitive string of 1 to 127 characters
in the format of ldap: //server_location, where server_location is
generally expressed by IP address.
Description
Use the crl url command to specify
the URL for the CRL distribution point.
Use the undo crl url command to remove
the configuration.
By default, no URL is specified for the CRL
distribution point.
Note that when the URL of the CRL
distribution point is not set, you should acquire CA certificate and a local
certificate, and then acquire a CRL through SCEP.
Example
# Specify the URL of the CRL distribution
point.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl url ldap://169.254.0
30
1.1.13 display pki certificate
Syntax
display pki certificate { { ca | local } domain domain-name |
request-status }
View
Any view
Parameter
ca: Displays
CA certificate.
local: Displays
local certificate.
request-status: Displays the status of the certificate request after being
delivered.
domain-name:
Domain of the certificate to be verified. It is configured by using the pki
domain command.
Description
Use the display pki certificate
command to display the contents of a certificate.
Related command: pki retrieval-certificate,
pki domain and certificate request polling.
Example
# Display local certificate.
<Sysname> display pki
certificate local domain 1
Data:
Version: 3 (0x2)
Serial Number:
10B7D4E3 00010000 0086
Signature Algorithm:
md5WithRSAEncryption
Issuer:
emailAddress=myca@aabbcc.net
C=CN
ST=Country A
L=City X
O=abc
OU=bjs
CN=new-ca
Validity
Not
Before: Jan 13 08: 57: 21 2004 GMT
Not After : Jan 20 09:
07: 21 2005 GMT
Subject:
C=CN
ST=Country B
L=City Y
CN=pki test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512
bit)
Modulus
(512 bit):
00D41D1F …
Exponent: 65537
(0x10001)
X509v3 extensions:
X509v3
Subject Alternative Name:
DNS: hyf.xxyyzz.net
… …
Signature Algorithm:
md5WithRSAEncryption
A3A5A447 4D08387D …
Table 1-1 Description on the fields of
the display pki certificate command
|
Field
|
Description
|
|
Version
|
Version of the certificate
|
|
Serial Number
|
Serial number of the certificate
|
|
Signature Algorithm
|
Signature algorithm
|
|
Issuer
|
Issuer of the certificate
|
|
Validity
|
Validity period of the certificate
|
|
Subject
|
Subject of the certificate
|
|
Subject Public Key Info
|
Public key information
|
|
X509v3 extensions
|
Extensions of X509 (version 3)
certificate
|
|
X509v3 CRL Distribution Points
|
Distribution points of X509 (version 3)
CRL
|
Syntax
display pki certificate
access-control-policy { policy-name | all
}
View
Any view
Parameter
policy-name:
Name of the access control policy of a certificate attribute, a string of 1 to
16 characters.
all: Access
control policies of all the certificate attributes.
Description
Use the display
pki certificate access-control-policy command to
display the access control policy information of a certificate attribute.
Example
# Display the information of the access
control policy mypolicy of certificate attribute.
<Sysname> display pki
certificate access-control-policy mypolicy
access-control-policy name: mypolicy
rule 1 deny mygroup1
rule 2 permit mygroup2
Table 1-2 Description on the fields of
the display pki certificate access-control-policy command
|
Field
|
Description
|
|
access-control-policy
|
Access control policy name of certificate
attribute
|
|
rule number
|
Control rule number
|
Syntax
display pki certificate attribute-group { group-name | all }
View
Any view
Parameter
group-name: Name
of a certificate attribute group.
all: All the
certificate attribute groups.
Description
Use the display
pki certificate attribute-group command to display
the information of a certificate attribute group.
Example
# Display the information of certificate
attribute group mygroup.
<Sysname> display pki
certificate attribute-group mygroup
attribute group name: mygroup
attribute 1 subject-name
dn ctn abc
attribute 2 issuer-name
fqdn nctn apple
Table 1-3 Description on the fields of
the display pki certificate attribute-group command
|
Field
|
Description
|
|
attribute group name
|
Name of a certificate attribute group
|
|
attribute number
|
Attribute number
|
Syntax
display pki crl domain domain-name
View
Any view
Parameter
domain-name:
Domain of the certificate to be verified. It is configured by using the pki
domain command.
Description
Use the display pki crl domain
command to display the locally saved CRL.
Related command: pki retrieval-crl
and pki domain.
Example
# Display a CRL.
<Sysname> display pki crl
domain 1
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm:
sha1WithRSAEncryption
Issuer:
C=CN
O=abc
OU=soft
CN=A Test Root
Last Update: Jan 5 08: 44:
19 2004 GMT
Next Update: Jan 5 21: 42:
13 2004 GMT
CRL extensions:
X509v3 Authority Key
Identifier:
keyid:0F71448E E075CAB8
ADDB3A12 0B747387 45D612EC
Revoked Certificates:
Serial Number: 05a234448E…
Revocation Date: Sep 6 12:33:22
2004 GMT
CRL entry extensions:…
Serial Number: 05a234448E…
Revocation Date: Sep 6 12:33:22
2004 GMT
CRL entry extensions:…
Table 1-4 Description
on the fields of the display pki crl command
|
Field
|
Description
|
|
Version
|
Version of CRL
|
|
Signature Algorithm
|
Signature algorithm adopted by CRL
|
|
Issuer
|
The CA issuing the CRL
|
|
Last Update
|
Last update time
|
|
Next Update
|
Next update time
|
|
CRL extensions
|
Extensions of CRL
|
|
Authority Key Identifier
|
The CA issuing the invalid certificate
(i.e. CRL)
|
|
Revoked Certificates
|
The revoked certificates
|
|
Serial Number
|
Serial number of a revoked certificate
|
|
Revocation Date
|
Revocation date
|
Syntax
fqdn name-str
undo fqdn
View
PKI entity view
Parameter
name-str:
FQDN of an entity, in a case-insensitive string of 1 to 127 characters
Description
Use the fqdn command to configure
the FQDN of an entity.
Use the undo fqdn command to remove
the configuration.
By default, no FQDN is specified for an entity
.
FQDN (Fully Qualified Domain Name) is the
unique identifier an entity has across a network. It consists of a host name
and a domain name that can be resolved an IP address. .
Example
# Configure the FQDN of an entity.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] fqdn pki.domain-name.com
Syntax
ip ip-address
undo ip
View
PKI entity view
Parameter
ip-address:
IP address of an entity.
Description
Use the ip command to configure the
IP address of an entity.
Use the undo ip command to remove
the configuration.
By default, no IP address is specified for
an entity.
Example
# Configure the IP address of an entity.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] ip 161.12.2.3
Syntax
ldap-server ip
ip-address [ port port-number ] [ version version-number
]
undo ldap-server ip
View
PKI domain view
Parameter
ip-address:
IP address of LDAP server; in the form of dotted decimal.
port-number:
Port number of LDAP server, in the range 1 to 65535. By default, it is 389.
version-number: LDAP version number, alternatively 2 or 3. By default, it is 2.
Description
Use the ldap-server ip
command to configure the IP address, port number and version of LDAP server.
Use the undo ldap-server ip command
to restore it to the default value.
By default, no IP address is configured for
LDAP server.
Example
# Specify the IP address of LDAP server.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] ldap-server ip 169.254.0 30
Syntax
locality locality-name
undo locality
View
PKI entity view
Parameter
locality-name: Name of the geographical locality, in a case-insensitive string of
1 to 31 characters.
Description
Use the locality command to configure
the geographical locality of an entity, for example, a city’s name.
Use the undo locality command to remove
the configuration.
By default, no geographical locality is
specified for an entity.
Example
# Configure the name of the city where the
entity lies.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] locality City
Syntax
organization org-name
undo organization
View
PKI entity view
Parameter
org-name: Organization
name, in a case-insensitive string of 1 to 31 characters
Description
Use the organization command to configure
the name of the organization to which the entity belongs.
Use the undo organization command to
remove the configuration.
By default, no organization name is
specified for an entity.
Example
# Configure the name of the organization to
which an entity belongs.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] organization org-name
Syntax
organizational-unit org-unit-name
undo
organizational-unit
View
PKI entity
view
Parameter
org-unit-name: Organization unit name, in a case-insensitive string of 1 to 31
characters. This parameter is used to distinguish the units of an organization.
Description
Use the organizational-unit command
to specify the name of the organization unit to which this entity belongs.
Use the undo organizational-unit command
to remove the configuration.
By default, no organization unit name is
specified for an entity.
Example
# Configure the name of the organization
unit to which an entity belongs.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] organizational-unit
soft plat
Syntax
pki certificate access-control-policy policy-name
undo pki certificate
access-control-policy { policy-name | all }
View
System view
Parameter
policy-name:
Access control policy name of a certificate attribute, in a case-insensitive
string of 1 to 16 characters, excluding “a”, “al” and
“all”.
all: Access
control policies of all the certificate attributes.
Description
Use the pki certificate
access-control-policy command to create an access control policy of a certificate
attribute and enter its view.
Use the undo pki
certificate access-control-policy command to remove
the access control policy of one or all certificate attributes.
No access control policy exists by default.
Example
# Configure an access control policy named
mypolicy and enter its view.
<Sysname> system-view
[Sysname] pki certificate
access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy]
Syntax
pki certificate attribute-group group-name
undo pki certificate attribute-group { group-name | all }
View
System view
Parameter
group-name: Name
of a certificate attribute group, in a case-insensitive string of 1 to 16
characters, excluding “a”, “al” and “all”.
all: All the
certificate attribute groups.
Description
Use the pki
certificate attribute-group command to create a
certificate attribute group and enter its view.
Use the undo pki certificate attribute-group
command to delete one or all certificate attribute groups.
No certificate attribute group exists by
default.
Example
# Create a certificate attribute group
named mygroup and enter its view.
<Sysname> system-view
[Sysname] pki certificate
attribute-group mygroup
[Sysname-pki-cert-attribute-group-mygroup]
Syntax
pki delete-certificate { ca | local } domain domain-name
View
System view
Parameter
ca: Specifies
to delete all the locally stored CA certificates.
local: Specifies
to delete all the local certificates.
domain-name:
PKI domain where the certificate to be deleted locates.
Description
Use the pki delete-certificate
command to delete the locally stored certificates.
Example
# Delete the local certificate in the PKI
domain named cer.
<Sysname> system-view
[Sysname] pki delete-certificate
local domain cer
Syntax
pki domain name
undo pki domain name
View
System view
Parameter
name: PKI
domain name, in a case-insensitive string of 1 to 15 characters, indicating the
PKI domain to which this device belongs.
Description
Use the pki domain command to create
a PKI domain and enter the PKI domain view.
Use the undo pki domain
command to remove the configuration.
By default, no PKI domain exists.
Example
# Enter PKI domain view.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1]
Syntax
pki entity name
undo pki entity name
View
System view
Parameter
name: Unique
ID of the entity, in a case-insensitive string of 1 to 15 characters.
Description
Use the pki entity command to name a
PKI entity and enter PKI entity view.
Use the undo pki entity command to remove
the name and all configurations under the name space.
By default, entity name is not specified.
You can configure a variety of attributes
for an entity in PKI entity view. name is only designed for other commands
reference, not for related fields of a certificate.
Example
# Enter PKI entity view.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en]
Syntax
pki import-certificate { ca | local } domain domain-name { der
| p12 | pem } [ filename
filename ]
View
System view
Parameter
ca: Specifies
a CA certificate.
local: Specifies
a local certificate.
domain-name:
PKI domain where the certificate locates.
der:
Specifies the certificate in the format of DER.
p12:
Specifies the certificate in the format of P12.
pem:
Specifies the certificate in the format of PEM.
filename filename: Certificate filename, in a
case-insensitive string of 1 to 127 characters, which defaults to domain-name_ca.cer
or domain-name_local.cer.
Description
Use the pki import-certificate
command to import an existing CA certificate or local certificate and save
locally.
Related command: pki domain.
Example
# Import the CA certificate in the PKI
domain named cer in the format of PEM.
<Sysname> system-view
[Sysname] pki import-certificate ca domain cer pem
Syntax
pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ]
View
System view
Parameter
domain-name: Domain name with CA or RA related information for certificate
request.
password: Password
needed for certificate revocation, in a case-insensitive string of 1 to 31
characters.
pkcs10: Displays
the BASE64-encoded PKCS#10 certificate request on the terminal. This message
is applicable for the certificate requests delivered through phone, disk or
e-mail.
filename:
Name of the file for saving the PKCS#10 certificate request, in a
case-insensitive string of 1 to 127 characters.
Description
Use the pki request-certificate domain
command to apply for a local certificate to CA through SCEP. If SCEP fails, you
can print the local certificate request in BASE64 format using the optional
parameter PKCS#10, copy it, and send one to CA through phone, disk or e-mail.
This operation will not be saved within the
configuration.
Related command: pki domain.
Example
# Specify to manually apply for a
certificate and display the PKCS#10 certificate request information.
<Sysname> system-view
[Sysname] pki request-certificate domain
1 pkcs10
Syntax
pki retrieval-certificate { ca | local } domain domain-name
View
System view
Parameter
ca: Specifies
to download a CA certificate.
local: Specifies
to download a local certificate.
domain-name:
Domain name with CA or RA related information for certificate request.
Description
Use the pki retrieval-certificate command
to retrieve a certificate from the certificate issuing server and then download
it locally.
Related command: pki domain.
Example
# Retrieve a certificate.
<Sysname> system-view
[Sysname] pki retrieval-certificate
ca domain 1
Syntax
pki retrieval-crl domain domain-name
View
System view
Parameter
domain-name:
Domain name with CA or RA related information for certificate request.
Description
Use the pki retrieval-crl command to
retrieve the latest CRL from the CRL server for the purpose of verifying the
validity of the existing certificate.
Related command: pki domain.
Example
# Retrieve a CRL.
<Sysname> system-view
[Sysname] pki retrieval-crl domain 1
Syntax
pki validate-certificate { ca | local } domain domain-name
View
System view
Parameter
ca: Specifies
to validate a CA certificate.
local: Specifies
to validate a local certificate.
domain-name:
Domain of the certificate to be verified.
Description
Use the pki validate-certificate
command to verify the validity of a certificate.
The focus is to check the CA signature on
the certificate, and to make sure that the certificate is still within the
validity period and beyond revocation.
Related command: pki domain.
Example
# Verify the validity of a local certificate.
<Sysname> system-view
[Sysname] pki validate-certificate
domain 1
Syntax
root-certificate fingerprint { md5 | sha1 } string
undo root-certificate fingerprint
View
PKI domain view
Parameter
md5:
Specifies to use MD5 fingerprint.
sha1:
Specifies to use SHA1 fingerprint.
string:
Fingerprint to be used. For MD5 fingerprint, it must consist of 32 characters
in hexadecimal format. For SHA1 fingerprint, it must consist of 40 characters
in hexadecimal format.
Description
Use the root-certificate fingerprint
command to configure the fingerprint used for validating the CA root
certificate.
Use the undo root-certificate
fingerprint command to remove the configuration.
By default, no fingerprint is configured
for validating the CA root certificate.
Example
# Configure MD5 fingerprint for validating
the CA root certificate.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] root-certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E
# Configure SHA1 fingerprint for validating
the CA root certificate.
[Sysname-pki-domain-1] root-certificate fingerprint sha1
D1526110AAD7527FB093ED7FC037B0B3CDDDAD93
Syntax
rule [ id
] { deny | permit } group-name
undo rule {
id | all }
View
Access control policy view
Parameter
id: Access
control number of the certificate attribute, in the range 1 to 16, which is
defaulted to the minimum number unused in the range 1 to 16.
deny: The
certificate is thought of as invalid and cannot pass the access control policy
detection when the certificate matches with the attribute defined in the
attribute group.
permit: The
certificate is thought of as valid and can pass the access control policy
detection when the certificate matches with the attribute defined in the
attribute group.
group-name:
Name of the certificate attribute group related to the rule, in a
case-insensitive string of 1 to 16 characters, excluding “a”,
“al” and “all”.
all: All the
control rules.
Description
Use the rule command to create an access
control rule for certificate attributes.
Use the undo rule command to delete
one or all the access control rules.
No access control rule exists by default.
Note that rule-related certificate
attribute group must exist.
Example
# Create an access control rule, meaning
that the certificate is thought of as valid and can pass the access control
policy detection when a certificate matches the attributes in the certificate attribute
group mygroup.
<Sysname> system-view
[Sysname] pki certificate
access-control-policy mypolicy
[Sysname -pki-cert-acp-mypolicy] rule
1 permit mygroup
Syntax
state state-name
undo
state
View
PKI entity
view
Parameter
state-name: State
or province name, in a case-insensitive string of 1 to 31 characters.
Description
Use the state command to specify the
name of the state or province where an entity resides.
Use the undo state command to remove
the configuration.
By default, no state is specified.
Example
# Specify the state where an entity resides.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] state Country
