attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ} attribute-value

undo attribute { id | all }

view

Certificate attribute group view

Parameter

Id: Serial number of the certificate attribute, in the range 1 to 16.

alt-subject-name: Name of the alternative certificate subject.

issuer-name: Name of the certificate issuer.

subject-name: Name of the certificate subject.

dn: DN of the entity.

fqdn: FQDN of the entity.

ip: IP address of the entity.

ctn: Contain operation.

equ: Equal operation.

nctn: Not-contain operation.

nequ: Not-equal operation.

attribute-value: Attribute value of the certificate, a case-insensitive string of 1 to 128 characters.

all: All the certificate attributes.

Description

Use the attribute command to configure the attribute of the certificate issuer name, certificate subject name and alternative certificate subject name.

Use the undo attribute command to delete the attribute of one or all of these certificate names.

There is no restriction on the issuer name, the subject name and the alternative subject name of the certificate by default.

Note that the attribute of the alternative certificate subject name does not appear as a domain name, there is no dn in the configuration.

Example

# Create a certificate attribute which defines that the DN of the subject name includes a string of abc.

<Sysname> system-view

[Sysname] pki certificate attribute-group mygroup

[Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc

# Create a certificate attribute which defines that the FQDN of the issuer name is not equal to the string abc.

[Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc

# Create a certificate attribute which defines that the IP address of the alternative subject name is not equal to 10.0.0.1.

[Sysname-pki-cert-attribute-group-mygroup] attribute 3 alt-subject-name ip nequ 10.0.0.1

1.1.2 ca identifier

Syntax

ca identifier name

undo ca identifier

View

PKI domain view

Parameter

name: Identifier of the trusted CA, in a case-insensitive string of 1 to 63 characters

Description

Use the ca identifier command to specify the trusted CA, and bind the device with CA name.

Use the undo ca identifier command to remove the configuration.

By default, no trusted CA is specified.

The request, retrieval, revocation and query of a certificate are all carried out by the trusted CA as long as the CA is not deleted.

Example

# Specify the name of the trusted CA.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] ca identifier new-ca

1.1.3 certificate request entity

Syntax

certificate request entity entity-name

undo certificate request entity

View

PKI domain view

Parameter

entity-name: Name of the entity used for certificate request, in a case-insensitive string of 1 to 15 characters.

Description

Use the certificate request entity command to specify the name of the entity used for certificate request.

Use the undo certificate request entity command to remove the configuration.

By default, no entity name is specified.

Related command: pki entity.

Example

# Specify to use entity1 for certificate request.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request entity entity1

1.1.4 certificate request from

Syntax

certificate request from { ca | ra }

undo certificate request from

View

PKI domain view

Parameter

ca: Indicates that the entity requests a certificate from CA.

ra: Indicates that the entity requests a certificate from RA.

Description

Use the certificate request from command to configure the registration authority (RA) for certificate request for the entity.

Use the undo certificate request from command to remove the configuration.

By default, no RA is specified.

Example

# Specify that the entity requests a certificate from CA.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request from ca

1.1.5 certificate request mode

Syntax

certificate request mode { auto [ key-length key-length | password { cipher | simple } password ]* | manual }

undo certificate request mode

View

PKI domain view

Parameter

auto: Specifies to request a certificate in auto mode.

key-length: Length of the RSA key, in the range 512 to 2048 bits. It is 1024 bits by default.

cipher: Specifies to display the password in cipher text.

simple: Specifies to display the password in clear text.

password: Password used for revoking a certificate, a case-sensitive string of 1 to 31 characters.

manual: Specifies to request a certificate in manual mode.

Description

Use the certificate request mode command to configure the certificate request mode.

Use the undo certificate request mode command to restore it to the default request mode.

By default, certificate request is carried out manually.

For auto mode, an entity automatically requests a certificate from RA when it has not its own certificate. Furthermore, the entity automatically requests a new one when the existing certificate is about to expire. For manual mode, all the operations associated with certificate request are carried out manually.

Related command: pki request-certificate.

Example

# Specify to request a certificate in auto mode.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request mode auto

1.1.6 certificate request polling

Syntax

certificate request polling { count count | interval minutes }

undo certificate request polling { count | interval }

View

PKI domain view

Parameter

count: Polling times, in the range 1 to 100.

minutes: Polling period, in the range 5 to 168 minutes.

Description

Use the certificate request polling command to specify the polling period and polling times for certificate request.

Use the undo certificate request polling command to restore it to the default parameters.

By default, polling is executed for 50 times at the interval of 20 minutes.

After an entity makes a certificate request, if CA validates the request manually, it takes a long time to issue a certificate. The entity therefore needs to periodically poll the request status so that it can acquire the certificate as soon as CA issues a certificate.

Related command: display pki certificate.

Example

# Specify to execute polling for 40 times at the interval of 15 minutes.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request polling interval 15

[Sysname-pki-domain-1] certificate request polling count 40

1.1.7 certificate request url

Syntax

certificate request url url-string

undo certificate request url

View

PKI domain view

Parameter

url-string: RA server URL, in a case-insensitive string of 1 to 127 characters, including the location of RA server and the location of CA CGI command interface script in the format of http: //server_location/ca_script_location, where server_location is generally expressed by IP address.

Description

Use the certificate request url command to specify the URL of the RA server that the device makes a certificate request through SCEP protocol.

Use the undo certificate request url command to remove the configuration.

By default, no URL is specified.

Example

# Specify the URL of RA server.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request url

http://169.254.0.100/certsrv/mscep/mscep.dll

1.1.8 common-name

Syntax

common-name name

undo common-name

View

PKI entity view

Parameter

name: Common name of an entity, in a case-insensitive string of 1 to 31 characters.

Description

Use the common-name command to configure the common name of an entity, such as the user name

Use the undo common-name command to remove the configuration.

By default, no common name is specified.

Example

# Configure the common name of an entity as test.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] common-name test

1.1.9 country

Syntax

country country-code-str

undo country

View

PKI entity view

Parameter

country-code-str: 2-character country code.

Description

Use the country command to specify the code of the country to which an entity belongs. It is a standard 2-character code, e.g., CN for China.

Use the undo country command to remove the configuration.

By default, no country code is specified.

Example

# Set the country code of an entity to CN.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] country CN

1.1.10 crl check

Syntax

crl check { disable | enable }

View

PKI domain view

Parameter

disable: Specifies to disable CRL checking.

enable: Specifies to enable CRL checking.

Description

Use the crl check command to enable or disable CRL checking.

By default, CRL checking is enabled.

CRL (Certificate Revocation Lists) is a file issued by CA to indicate that some certificate is revoked. The revocation may occur before the expiration of the period of the certificate validity.

Example

# Disable CRL checking.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] crl check disable

1.1.11 crl update-period

Syntax

crl update-period hours

undo crl update-period

View

PKI domain view

Parameter

hours: Update period, in the range 1 to 720 hours.

Description

Use the crl update-period command to specify the update period of CRL.

Use the undo crl update-period command to restore it to the default value.

By default, CRL update period depends on the next update domain in the CRL file.

The CRL update period is the interval at which a PKI entity with a certificate downloads a CRL from LDAP server.

Example

# Set the CRL update period to 20 hours.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] crl update-period 20

1.1.12 crl url

Syntax

crl url url-string

undo crl url

View

PKI domain view

Parameter

url-string: URL of CRL distribution point, in a case-insensitive string of 1 to 127 characters in the format of ldap: //server_location, where server_location is generally expressed by IP address.

Description

Use the crl url command to specify the URL for the CRL distribution point.

Use the undo crl url command to remove the configuration.

By default, no URL is specified for the CRL distribution point.

Note that when the URL of the CRL distribution point is not set, you should acquire CA certificate and a local certificate, and then acquire a CRL through SCEP.

Example

# Specify the URL of the CRL distribution point.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] crl url ldap://169.254.0 30

1.1.13 display pki certificate

Syntax

display pki certificate { { ca | local } domain domain-name | request-status }

View

Any view

Parameter

ca: Displays CA certificate.

local: Displays local certificate.

request-status: Displays the status of the certificate request after being delivered.

domain-name: Domain of the certificate to be verified. It is configured by using the pki domain command.

Description

Use the display pki certificate command to display the contents of a certificate.

Related command: pki retrieval-certificate, pki domain and certificate request polling.

Example

# Display local certificate.

<Sysname> display pki certificate local domain 1

Data:

Version: 3 (0x2)

Serial Number:

10B7D4E3 00010000 0086

Signature Algorithm: md5WithRSAEncryption

Issuer:

emailAddress=myca@aabbcc.net

C=CN

ST=Country A

L=City X

O=abc

OU=bjs

CN=new-ca

Validity

Not Before: Jan 13 08: 57: 21 2004 GMT

Not After : Jan 20 09: 07: 21 2005 GMT

Subject:

C=CN

ST=Country B

L=City Y

CN=pki test

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (512 bit)

Modulus (512 bit):

00D41D1F …

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Alternative Name:

DNS: hyf.xxyyzz.net

… …

Signature Algorithm: md5WithRSAEncryption

A3A5A447 4D08387D …

Table 1-1 Description on the fields of the display pki certificate command

Field	Description
Version	Version of the certificate
Serial Number	Serial number of the certificate
Signature Algorithm	Signature algorithm
Issuer	Issuer of the certificate
Validity	Validity period of the certificate
Subject	Subject of the certificate
Subject Public Key Info	Public key information
X509v3 extensions	Extensions of X509 (version 3) certificate
X509v3 CRL Distribution Points	Distribution points of X509 (version 3) CRL

1.1.14 display pki certificate access-control-policy

Syntax

display pki certificate access-control-policy { policy-name | all }

View

Any view

Parameter

policy-name: Name of the access control policy of a certificate attribute, a string of 1 to 16 characters.

all: Access control policies of all the certificate attributes.

Description

Use the display pki certificate access-control-policy command to display the access control policy information of a certificate attribute.

Example

# Display the information of the access control policy mypolicy of certificate attribute.

<Sysname> display pki certificate access-control-policy mypolicy

access-control-policy name: mypolicy

rule 1 deny mygroup1

rule 2 permit mygroup2

Table 1-2 Description on the fields of the display pki certificate access-control-policy command

Field	Description
access-control-policy	Access control policy name of certificate attribute
rule number	Control rule number

1.1.15 display pki certificate attribute-group

Syntax

display pki certificate attribute-group { group-name | all }

View

Any view

Parameter

group-name: Name of a certificate attribute group.

all: All the certificate attribute groups.

Description

Use the display pki certificate attribute-group command to display the information of a certificate attribute group.

Example

# Display the information of certificate attribute group mygroup.

<Sysname> display pki certificate attribute-group mygroup

attribute group name: mygroup

attribute 1 subject-name dn ctn abc

attribute 2 issuer-name fqdn nctn apple

Table 1-3 Description on the fields of the display pki certificate attribute-group command

Field	Description
attribute group name	Name of a certificate attribute group
attribute number	Attribute number

1.1.16 display pki crl domain

Syntax

display pki crl domain domain-name

View

Any view

Parameter

domain-name: Domain of the certificate to be verified. It is configured by using the pki domain command.

Description

Use the display pki crl domain command to display the locally saved CRL.

Related command: pki retrieval-crl and pki domain.

Example

# Display a CRL.

<Sysname> display pki crl domain 1

Certificate Revocation List (CRL):

Version 2 (0x1)

Signature Algorithm: sha1WithRSAEncryption

Issuer:

C=CN

O=abc

OU=soft

CN=A Test Root

Last Update: Jan 5 08: 44: 19 2004 GMT

Next Update: Jan 5 21: 42: 13 2004 GMT

CRL extensions:

X509v3 Authority Key Identifier:

keyid:0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC

Revoked Certificates:

Serial Number: 05a234448E…

Revocation Date: Sep 6 12:33:22 2004 GMT

CRL entry extensions:…

Serial Number: 05a234448E…

Revocation Date: Sep 6 12:33:22 2004 GMT

CRL entry extensions:…

Table 1-4 Description on the fields of the display pki crl command

Field	Description
Version	Version of CRL
Signature Algorithm	Signature algorithm adopted by CRL
Issuer	The CA issuing the CRL
Last Update	Last update time
Next Update	Next update time
CRL extensions	Extensions of CRL
Authority Key Identifier	The CA issuing the invalid certificate (i.e. CRL)
Revoked Certificates	The revoked certificates
Serial Number	Serial number of a revoked certificate
Revocation Date	Revocation date

1.1.17 fqdn

Syntax

fqdn name-str

undo fqdn

View

PKI entity view

Parameter

name-str: FQDN of an entity, in a case-insensitive string of 1 to 127 characters

Description

Use the fqdn command to configure the FQDN of an entity.

Use the undo fqdn command to remove the configuration.

By default, no FQDN is specified for an entity .

FQDN (Fully Qualified Domain Name) is the unique identifier an entity has across a network. It consists of a host name and a domain name that can be resolved an IP address. .

Example

# Configure the FQDN of an entity.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] fqdn pki.domain-name.com

1.1.18 ip

Syntax

ip ip-address

undo ip

View

PKI entity view

Parameter

ip-address: IP address of an entity.

Description

Use the ip command to configure the IP address of an entity.

Use the undo ip command to remove the configuration.

By default, no IP address is specified for an entity.

Example

# Configure the IP address of an entity.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] ip 161.12.2.3

1.1.19 ldap-server

Syntax

ldap-server ip ip-address [ port port-number ] [ version version-number ]

undo ldap-server ip

View

PKI domain view

Parameter

ip-address: IP address of LDAP server; in the form of dotted decimal.

port-number: Port number of LDAP server, in the range 1 to 65535. By default, it is 389.

version-number: LDAP version number, alternatively 2 or 3. By default, it is 2.

Description

Use the ldap-server ip command to configure the IP address, port number and version of LDAP server.

Use the undo ldap-server ip command to restore it to the default value.

By default, no IP address is configured for LDAP server.

Example

# Specify the IP address of LDAP server.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] ldap-server ip 169.254.0 30

1.1.20 locality

Syntax

locality locality-name

undo locality

View

PKI entity view

Parameter

locality-name: Name of the geographical locality, in a case-insensitive string of 1 to 31 characters.

Description

Use the locality command to configure the geographical locality of an entity, for example, a city’s name.

Use the undo locality command to remove the configuration.

By default, no geographical locality is specified for an entity.

Example

# Configure the name of the city where the entity lies.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] locality City

1.1.21 organization

Syntax

organization org-name

undo organization

View

PKI entity view

Parameter

org-name: Organization name, in a case-insensitive string of 1 to 31 characters

Description

Use the organization command to configure the name of the organization to which the entity belongs.

Use the undo organization command to remove the configuration.

By default, no organization name is specified for an entity.

Example

# Configure the name of the organization to which an entity belongs.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] organization org-name

1.1.22 organizational-unit

Syntax

organizational-unit org-unit-name

undo organizational-unit

View

PKI entity view

Parameter

org-unit-name: Organization unit name, in a case-insensitive string of 1 to 31 characters. This parameter is used to distinguish the units of an organization.

Description

Use the organizational-unit command to specify the name of the organization unit to which this entity belongs.

Use the undo organizational-unit command to remove the configuration.

By default, no organization unit name is specified for an entity.

Example

# Configure the name of the organization unit to which an entity belongs.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] organizational-unit soft plat

1.1.23 pki certificate access-control-policy

Syntax

pki certificate access-control-policy policy-name

undo pki certificate access-control-policy { policy-name | all }

View

System view

Parameter

policy-name: Access control policy name of a certificate attribute, in a case-insensitive string of 1 to 16 characters, excluding “a”, “al” and “all”.

all: Access control policies of all the certificate attributes.

Description

Use the pki certificate access-control-policy command to create an access control policy of a certificate attribute and enter its view.

Use the undo pki certificate access-control-policy command to remove the access control policy of one or all certificate attributes.

No access control policy exists by default.

Example

# Configure an access control policy named mypolicy and enter its view.

<Sysname> system-view

[Sysname] pki certificate access-control-policy mypolicy

[Sysname-pki-cert-acp-mypolicy]

1.1.24 pki certificate attribute-group

Syntax

pki certificate attribute-group group-name

undo pki certificate attribute-group { group-name | all }

View

System view

Parameter

group-name: Name of a certificate attribute group, in a case-insensitive string of 1 to 16 characters, excluding “a”, “al” and “all”.

all: All the certificate attribute groups.

Description

Use the pki certificate attribute-group command to create a certificate attribute group and enter its view.

Use the undo pki certificate attribute-group command to delete one or all certificate attribute groups.

No certificate attribute group exists by default.

Example

# Create a certificate attribute group named mygroup and enter its view.

<Sysname> system-view

[Sysname] pki certificate attribute-group mygroup

[Sysname-pki-cert-attribute-group-mygroup]

1.1.25 pki delete-certificate

Syntax

pki delete-certificate { ca | local } domain domain-name

View

System view

Parameter

ca: Specifies to delete all the locally stored CA certificates.

local: Specifies to delete all the local certificates.

domain-name: PKI domain where the certificate to be deleted locates.

Description

Use the pki delete-certificate command to delete the locally stored certificates.

Example

# Delete the local certificate in the PKI domain named cer.

<Sysname> system-view

[Sysname] pki delete-certificate local domain cer

1.1.26 pki domain

Syntax

pki domain name

undo pki domain name

View

System view

Parameter

name: PKI domain name, in a case-insensitive string of 1 to 15 characters, indicating the PKI domain to which this device belongs.

Description

Use the pki domain command to create a PKI domain and enter the PKI domain view.

Use the undo pki domain command to remove the configuration.

By default, no PKI domain exists.

Example

# Enter PKI domain view.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1]

1.1.27 pki entity

Syntax

pki entity name

undo pki entity name

View

System view

Parameter

name: Unique ID of the entity, in a case-insensitive string of 1 to 15 characters.

Description

Use the pki entity command to name a PKI entity and enter PKI entity view.

Use the undo pki entity command to remove the name and all configurations under the name space.

By default, entity name is not specified.

You can configure a variety of attributes for an entity in PKI entity view. name is only designed for other commands reference, not for related fields of a certificate.

Example

# Enter PKI entity view.

<Sysname> system-view

[Sysname] pki entity en

[Sysname-pki-entity-en]

1.1.28 pki import-certificate

Syntax

pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ]

View

System view

Parameter

ca: Specifies a CA certificate.

local: Specifies a local certificate.

domain-name: PKI domain where the certificate locates.

der: Specifies the certificate in the format of DER.

p12: Specifies the certificate in the format of P12.

pem: Specifies the certificate in the format of PEM.

filename filename: Certificate filename, in a case-insensitive string of 1 to 127 characters, which defaults to domain-name_ca.cer or domain-name_local.cer.

Description

Use the pki import-certificate command to import an existing CA certificate or local certificate and save locally.

Related command: pki domain.

Example

# Import the CA certificate in the PKI domain named cer in the format of PEM.

<Sysname> system-view

[Sysname] pki import-certificate ca domain cer pem

1.1.29 pki request-certificate domain

Syntax

pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ]

View

System view

Parameter

domain-name: Domain name with CA or RA related information for certificate request.

password: Password needed for certificate revocation, in a case-insensitive string of 1 to 31 characters.

pkcs10: Displays the BASE64-encoded PKCS#10 certificate request on the terminal. This message is applicable for the certificate requests delivered through phone, disk or e-mail.

filename: Name of the file for saving the PKCS#10 certificate request, in a case-insensitive string of 1 to 127 characters.

Description

Use the pki request-certificate domain command to apply for a local certificate to CA through SCEP. If SCEP fails, you can print the local certificate request in BASE64 format using the optional parameter PKCS#10, copy it, and send one to CA through phone, disk or e-mail.

This operation will not be saved within the configuration.

Related command: pki domain.

Example

# Specify to manually apply for a certificate and display the PKCS#10 certificate request information.

<Sysname> system-view

[Sysname] pki request-certificate domain 1 pkcs10

1.1.30 pki retrieval-certificate

Syntax

pki retrieval-certificate { ca | local } domain domain-name

View

System view

Parameter

ca: Specifies to download a CA certificate.

local: Specifies to download a local certificate.

domain-name: Domain name with CA or RA related information for certificate request.

Description

Use the pki retrieval-certificate command to retrieve a certificate from the certificate issuing server and then download it locally.

Related command: pki domain.

Example

# Retrieve a certificate.

<Sysname> system-view

[Sysname] pki retrieval-certificate ca domain 1

1.1.31 pki retrieval-crl domain

Syntax

pki retrieval-crl domain domain-name

View

System view

Parameter

domain-name: Domain name with CA or RA related information for certificate request.

Description

Use the pki retrieval-crl command to retrieve the latest CRL from the CRL server for the purpose of verifying the validity of the existing certificate.

Related command: pki domain.

Example

# Retrieve a CRL.

<Sysname> system-view

[Sysname] pki retrieval-crl domain 1

1.1.32 pki validate-certificate

Syntax

pki validate-certificate { ca | local } domain domain-name

View

System view

Parameter

ca: Specifies to validate a CA certificate.

local: Specifies to validate a local certificate.

domain-name: Domain of the certificate to be verified.

Description

Use the pki validate-certificate command to verify the validity of a certificate.

The focus is to check the CA signature on the certificate, and to make sure that the certificate is still within the validity period and beyond revocation.

Related command: pki domain.

Example

# Verify the validity of a local certificate.

<Sysname> system-view

[Sysname] pki validate-certificate domain 1

1.1.33 root-certificate fingerprint

Syntax

root-certificate fingerprint { md5 | sha1 } string

undo root-certificate fingerprint

View

PKI domain view

Parameter

md5: Specifies to use MD5 fingerprint.

sha1: Specifies to use SHA1 fingerprint.

string: Fingerprint to be used. For MD5 fingerprint, it must consist of 32 characters in hexadecimal format. For SHA1 fingerprint, it must consist of 40 characters in hexadecimal format.

Description

Use the root-certificate fingerprint command to configure the fingerprint used for validating the CA root certificate.

Use the undo root-certificate fingerprint command to remove the configuration.

By default, no fingerprint is configured for validating the CA root certificate.

Example

# Configure MD5 fingerprint for validating the CA root certificate.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] root-certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E

# Configure SHA1 fingerprint for validating the CA root certificate.

[Sysname-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93

1.1.34 rule

Syntax

rule [ id ] { deny | permit } group-name

undo rule { id | all }

View

Access control policy view

Parameter

id: Access control number of the certificate attribute, in the range 1 to 16, which is defaulted to the minimum number unused in the range 1 to 16.

deny: The certificate is thought of as invalid and cannot pass the access control policy detection when the certificate matches with the attribute defined in the attribute group.

permit: The certificate is thought of as valid and can pass the access control policy detection when the certificate matches with the attribute defined in the attribute group.

group-name: Name of the certificate attribute group related to the rule, in a case-insensitive string of 1 to 16 characters, excluding “a”, “al” and “all”.

all: All the control rules.

Description

Use the rule command to create an access control rule for certificate attributes.

Use the undo rule command to delete one or all the access control rules.

No access control rule exists by default.

Note that rule-related certificate attribute group must exist.

Example

# Create an access control rule, meaning that the certificate is thought of as valid and can pass the access control policy detection when a certificate matches the attributes in the certificate attribute group mygroup.

<Sysname> system-view

[Sysname] pki certificate access-control-policy mypolicy

[Sysname -pki-cert-acp-mypolicy] rule 1 permit mygroup

1.1.35 state

Syntax

state state-name

undo state

View

PKI entity view

Parameter

state-name: State or province name, in a case-insensitive string of 1 to 31 characters.

Description

Use the state command to specify the name of the state or province where an entity resides.

Use the undo state command to remove the configuration.

By default, no state is specified.

Example

# Specify the state where an entity resides.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] state Country

H3C S5500-SI Series Ethernet Switches Command Manual-Release 1205-(V1.03)

1.1 PKI Configuration Commands

1.1.5 certificate request mode

1.1.13 display pki certificate

1.1.16 display pki crl domain

1.1.29 pki request-certificate domain

1.1.31 pki retrieval-crl domain

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us