attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ} attribute-value

undo attribute { id | all }

View

Certificate attribute group view

Parameters

Id: Sequence number of the certificate attribute rule, in the range 1 to 16.

alt-subject-name: Specifies the name of the alternative certificate subject.

fqdn: Specifies the FQDN of the entity.

ip: Specifies the IP address of the entity.

issuer-name: Specifies the name of the certificate issuer.

subject-name: Specifies the name of the certificate subject.

dn: Specifies the domain name of the entity.

ctn: Specifies the contain operation.

equ: Specifies the equal operation.

nctn: Specifies the not-contain operation.

nequ: Specifies the not-equal operation.

attribute-value: Value of the certificate attribute, a case-insensitive string of 1 to 128 characters.

all: Specifies all certificate attributes.

Description

Use the attribute command to configure the attribute rules of the certificate issuer name, certificate subject name and alternative certificate subject name.

Use the undo attribute command to delete the attributes of one or all certificates.

By default, there is no restriction on the issuer name, subject name, and alternative subject name of a certificate.

Note that the attribute of the alternative certificate subject name does not appear as a domain name, and therefore the dn keyword is not available for the attribute.

Examples

# Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc.

<Sysname> system-view

[Sysname] pki certificate attribute-group mygroup

[Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc

# Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc.

[Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc

# Create a certificate attribute rule, specifying that the IP address in the alternative subject name cannot be 10.0.0.1.

[Sysname-pki-cert-attribute-group-mygroup] attribute 3 alt-subject-name ip nequ 10.0.0.1

1.1.2 ca identifier

Syntax

ca identifier name

undo ca identifier

View

PKI domain view

Parameters

name: Identifier of the trusted CA, a case-insensitive string of 1 to 63 characters

Description

Use the ca identifier command to specify the trusted CA and bind the device with the CA.

Use the undo ca identifier command to remove the configuration.

By default, no trusted CA is specified for a PKI domain.

Certificate request, retrieval, revocation, and query all depend on the trusted CA.

Examples

# Specify the trusted CA as new-ca.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] ca identifier new-ca

1.1.3 certificate request entity

Syntax

certificate request entity entity-name

undo certificate request entity

View

PKI domain view

Parameters

entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters.

Description

Use the certificate request entity command to specify the entity for certificate request.

Use the undo certificate request entity command to remove the configuration.

By default, no entity is specified for a PKI domain.

Related commands: pki entity.

Examples

# Specify the entity for certificate request as entity1.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request entity entity1

1.1.4 certificate request from

Syntax

certificate request from { ca | ra }

undo certificate request from

View

PKI domain view

Parameters

ca: Indicates that the entity requests a certificate from a CA.

ra: Indicates that the entity requests a certificate from an RA.

Description

Use the certificate request from command to specify the authority for certificate request.

Use the undo certificate request from command to remove the configuration.

By default, no authority is specified for a PKI domain view.

Examples

# Specify that the entity requests a certificate from the CA.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request from ca

1.1.5 certificate request mode

Syntax

certificate request mode { auto [ key-length key-length | password { cipher | simple } password ]* | manual}

undo certificate request mode

View

PKI domain view

Parameters

auto: Specifies to request a certificate in auto mode.

key-length: Length of the RSA key, in the range 512 to 2,048 bits. It is 1,024 bits by default.

password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters.

cipher: Specifies to display the password in cipher text.

simple: Specifies to display the password in clear text.

manual: Specifies to request a certificate in manual mode.

Description

Use the certificate request mode command to set the certificate request mode.

Use the undo certificate request mode command to restore the default.

By default, manual mode is used.

In auto mode, an entity automatically requests a certificate from an RA or CA when it has no certificate or when the existing certificate is about to expire. In manual mode, all operations associated with certificate request are carried out manually.

Related commands: pki request-certificate.

Examples

# Specify to request a certificate in auto mode.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request mode auto

1.1.6 certificate request polling

Syntax

certificate request polling { count count | interval minutes }

undo certificate request polling { count | interval }

View

PKI domain view

Parameters

count: Maximum number of attempts to poll the status of the certificate request, in the range 1 to 100.

minutes: Polling interval, in the range 5 to 168 minutes.

Description

Use the certificate request polling command to specify the certificate request polling interval and maximum number of attempts.

Use the undo certificate request polling command to restore the defaults.

By default, the polling is executed every 20 minutes for up to 50 times.

After an applicant makes a certificate request, the CA may need a long period of time if it verifies the certificate request manually. During this period, the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed.

Related commands: display pki certificate.

Examples

# Specify the polling interval as 15 minutes and the maximum number of attempts as 40.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request polling interval 15

[Sysname-pki-domain-1] certificate request polling count 40

1.1.7 certificate request url

Syntax

certificate request url url-string

undo certificate request url

View

PKI domain view

Parameters

url-string: URL of the server for certificate request, a case-insensitive string of 1 to 127 characters. It comprises the location of the server and the location of CGI command interface script in the format of http: //server_location/ca_script_location, where server_location is generally expressed in IP address.

Description

Use the certificate request url command to specify the URL of the server for certificate request through SCEP.

Use the undo certificate request url command to remove the configuration.

By default, no URL is specified for a PKI domain.

Examples

# Specify the URL of the server for certificate request.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] certificate request url

http://169.254.0.100/certsrv/mscep/mscep.dll

1.1.8 common-name

Syntax

common-name name

undo common-name

View

PKI entity view

Parameters

name: Common name of an entity, a case-insensitive string of 1 to 31 characters. No comma can be included.

Description

Use the common-name command to configure the common name of an entity, which can be, for example, the user name.

Use the undo common-name command to remove the configuration.

By default, no common name is specified.

Examples

# Configure the common name of an entity as test.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] common-name test

1.1.9 country

Syntax

country country-code-str

undo country

View

PKI entity view

Parameters

country-code-str: Country code for the entity, a 2-character case-insensitive string.

Description

Use the country command to specify the code of the country to which an entity belongs. It is a standard 2-character code, for example, CN for China.

Use the undo country command to remove the configuration.

By default, no country code is specified.

Examples

# Set the country code of an entity to CN.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] country CN

1.1.10 crl check

Syntax

crl check { disable | enable }

View

PKI domain view

Parameters

disable: Disables CRL checking.

enable: Enables CRL checking.

Description

Use the crl check command to enable or disable CRL checking.

By default, CRL checking is enabled.

CRLs are files issued by the CA to distribute all certificates have been revoked. Revocation of a certificate may occur before the certificate expires. CRL checking is intended for checking whether a certificate has been revoked. A revoked certificate is no longer trusted.

Examples

# Disable CRL checking.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] crl check disable

1.1.11 crl update-period

Syntax

crl update-period hours

undo crl update-period

View

PKI domain view

Parameters

hours: CRL update period, in the range 1 to 720 hours.

Description

Use the crl update-period command to set the CRL update period, that is, the interval at which the PKI entity downloads the latest CRL.

Use the undo crl update-period command to restore the default.

By default, the CRL update period depends on the next update field in the CRL file.

The CRL update period is the interval at which a PKI entity with a certificate downloads a CRL from LDAP server.

Examples

# Set the CRL update period to 20 hours.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] crl update-period 20

1.1.12 crl url

Syntax

crl url url-string

undo crl url

View

PKI domain view

Parameters

url-string: URL of the CRL distribution point, a case-insensitive string of 1 to 127 characters in the format of ldap: //server_location, where server_location is generally expressed by IP address.

Description

Use the crl url command to specify the URL of the CRL distribution point.

Use the undo crl url command to remove the configuration.

By default, no CRL distribution point URL is specified.

Note that when the URL of the CRL distribution point is not set, you should acquire CA certificate and a local certificate, and then acquire a CRL through SCEP.

Examples

# Specify the URL of the CRL distribution point.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] crl url ldap://169.254.0 30

1.1.13 display pki certificate

Syntax

display pki certificate { { ca | local } domain domain-name | request-status }

View

Any view

Parameters

ca: Displays the CA certificate.

local: Displays the local certificate.

domain-name: Name of the PKI domain, a string of 1 to 15 characters.

request-status: Displays the status of a certificate request.

Description

Use the display pki certificate command to display the contents or request status of a certificate.

Related commands: pki retrieval-certificate, pki domain and certificate request polling.

Examples

# Display the local certificate.

<Sysname> display pki certificate local domain 1

Data:

Version: 3 (0x2)

Serial Number:

10B7D4E3 00010000 0086

Signature Algorithm: md5WithRSAEncryption

Issuer:

emailAddress=myca@aabbcc.net

C=CN

ST=Country A

L=City X

O=abc

OU=bjs

CN=new-ca

Validity

Not Before: Jan 13 08: 57: 21 2004 GMT

Not After : Jan 20 09: 07: 21 2005 GMT

Subject:

C=CN

ST=Country B

L=City Y

CN=pki test

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (512 bit)

Modulus (512 bit):

00D41D1F …

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Alternative Name:

DNS: hyf.xxyyzz.net

X509v3 CRL Distribution Points:

URI:http://1.1.1.1:447/myca.crl

… …

Signature Algorithm: md5WithRSAEncryption

A3A5A447 4D08387D …

Table 1-1 Description on the fields of the display pki certificate command

Field	Description
Version	Version of the certificate
Serial Number	Serial number of the certificate
Signature Algorithm	Signature algorithm
Issuer	Issuer of the certificate
Validity	Validity period of the certificate
Subject	Entity holding the certificate
Subject Public Key Info	Public key information of the entity
X509v3 extensions	Extensions of the X509 (version 3) certificate
X509v3 CRL Distribution Points	Distribution points of X509 (version 3) CRLs

1.1.14 display pki certificate access-control-policy

Syntax

display pki certificate access-control-policy { policy-name | all }

View

Any view

Parameters

policy-name: Name of the certificate attribute-based access control policy, a string of 1 to 16 characters.

all: Specifies all certificate attribute-based access control policies.

Description

Use the display pki certificate access-control-policy command to display information about a specified or all certificate attribute-based access control policies.

Examples

# Display information about the certificate attribute-based access control policy named mypolicy.

<Sysname> display pki certificate access-control-policy mypolicy

access-control-policy name: mypolicy

rule 1 deny mygroup1

rule 2 permit mygroup2

Table 1-2 Description on the fields of display pki certificate access-control-policy

Field	Description
access-control-policy	Name of the certificate attribute-based access control policy
rule number	Number of the access control rule

1.1.15 display pki certificate attribute-group

Syntax

display pki certificate attribute-group { group-name | all }

View

Any view

Parameters

group-name: Name of a certificate attribute group, a string of 1 to 16 characters.

all: Specifies all certificate attribute groups.

Description

Use the display pki certificate attribute-group command to display information about a specified or all certificate attribute groups.

Examples

# Display information about certificate attribute group mygroup.

<Sysname> display pki certificate attribute-group mygroup

attribute group name: mygroup

attribute 1 subject-name dn ctn abc

attribute 2 issuer-name fqdn nctn app

Table 1-3 Description on the fields of display pki certificate attribute-group

Field	Description
attribute group name	Name of the certificate attribute group
attribute number	Number of the attribute rule
subject-name	Name of the certificate subject
dn	Domain of the entity
ctn	Indicates the contain operations
abc	Value of attribute 1
issuer-name	Name of the certificate issuer
fqdn	FQDN of the entity
nctn	Indicates the not-contain operations
app	Value of attribute 2

1.1.16 display pki crl domain

Syntax

display pki crl domain domain-name

View

Any view

Parameters

domain-name: Name of the PKI domain, a string of 1 to 15 characters.

Description

Use the display pki crl domain command to display the locally saved CRLs.

Related commands: pki retrieval-crl and pki domain.

Examples

# Display the locally saved CRLs.

<Sysname> display pki crl domain 1

Certificate Revocation List (CRL):

Version 2 (0x1)

Signature Algorithm: sha1WithRSAEncryption

Issuer:

C=CN

O=abc

OU=soft

CN=A Test Root

Last Update: Jan 5 08: 44: 19 2004 GMT

Next Update: Jan 5 21: 42: 13 2004 GMT

CRL extensions:

X509v3 Authority Key Identifier:

keyid:0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC

Revoked Certificates:

Serial Number: 05a234448E…

Revocation Date: Sep 6 12:33:22 2004 GMT

CRL entry extensions:…

Serial Number: 05a234448E…

Revocation Date: Sep 6 12:33:22 2004 GMT

CRL entry extensions:…

Table 1-4 Description on the fields of the display pki crl domain command

Field	Description
Version	Version of the CRLs
Signature Algorithm	Signature algorithm used by the CRLs
Issuer	CA issuing the CRLs
Last Update	Last update time
Next Update	Next update time
CRL extensions	Extensions of CRL
X509v3 Authority Key Identifier	CA issuing the CRLs. The certificate version is X509v3.
keyid	ID of the public key
Revoked Certificates	Revoked certificates
Serial Number	Serial number of the revoked certificate
Revocation Date	Revocation date of the certificate

1.1.17 fqdn

Syntax

fqdn name-str

undo fqdn

View

PKI entity view

Parameters

name-str: Fully qualified domain name (FQDN) of an entity, a case-insensitive string of 1 to 127 characters

Description

Use the fqdn command to configure the FQDN of an entity.

Use the undo fqdn command to remove the configuration.

By default, no FQDN is specified for an entity.

An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain name and can be resolved into an IP address.

Examples

# Configure the FQDN of an entity as pki.domain-name.com.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] fqdn pki.domain-name.com

1.1.18 ip

Syntax

ip ip-address

undo ip

View

PKI entity view

Parameters

ip-address: IP address for an entity.

Description

Use the ip command to configure the IP address of an entity.

Use the undo ip command to remove the configuration.

By default, no IP address is specified for an entity.

Examples

# Configure the IP address of an entity as 11.0.0.1.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] ip 11.0.0.1

1.1.19 ldap-server

Syntax

ldap-server ip ip-address [ port port-number ] [ version version-number ]

undo ldap-server

View

PKI domain view

Parameters

ip-address: IP address of the LDAP server, in dotted decimal format.

port-number: Port number of the LDAP server, in the range 1 to 65535. The default is 389.

version-number: LDAP version number, either 2 or 3. By default, it is 2.

Description

Use the ldap-server command to specify an LDAP server for a PKI domain.

Use the undo ldap-server command to remove the configuration.

By default, no LDP server is specified for a PKI domain.

Examples

# Specify an LDAP server for PKI domain 1.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] ldap-server ip 169.254.0 30

1.1.20 locality

Syntax

locality locality-name

undo locality

View

PKI entity view

Parameters

locality-name: Name for the geographical locality, a case-insensitive string of 1 to 31 characters. No comma can be included.

Description

Use the locality command to configure the geographical locality of an entity, which can be, for example, a city name.

Use the undo locality command to remove the configuration.

By default, no geographical locality is specified for an entity.

Examples

# Configure the locality of an entity as city.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] locality city

1.1.21 organization

Syntax

organization org-name

undo organization

View

PKI entity view

Parameters

org-name: Organization name, a case-insensitive string of 1 to 31 characters. No comma can be included.

Description

Use the organization command to configure the name of the organization to which the entity belongs.

Use the undo organization command to remove the configuration.

By default, no organization name is specified for an entity.

Examples

# Configure the name of the organization to which an entity belongs as org-name.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] organization org-name

1.1.22 organizational-unit

Syntax

organizational-unit org-unit-name

undo organizational-unit

View

PKI entity view

Parameters

org-unit-name: Organization unit name, a case-insensitive string of 1 to 31 characters. No comma can be included. This argument is intended to distinguish different units in an organization.

Description

Use the organizational-unit command to specify the name of the organization unit to which this entity belongs.

Use the undo organizational-unit command to remove the configuration.

By default, no organization unit name is specified for an entity.

Examples

# Configure the name of the organization unit to which an entity belongs as unit-name.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] organizational-unit unit-name

1.1.23 pki certificate access-control-policy

Syntax

pki certificate access-control-policy policy-name

undo pki certificate access-control-policy { policy-name | all }

View

System view

Parameters

policy-name: Name of the certificate attribute-based access control policy, a case-insensitive string of 1 to 16 characters. It cannot be “a”, “al” or “all”.

all: Specifies all certificate attribute-based access control policies.

Description

Use the pki certificate access-control-policy command to create a certificate attribute-based access control policy and enter its view.

Use the undo pki certificate access-control-policy command to remove a specified or all certificate attribute-based access control policies.

No access control policy exists by default.

Examples

# Configure an access control policy named mypolicy and enter its view.

<Sysname> system-view

[Sysname] pki certificate access-control-policy mypolicy

[Sysname-pki-cert-acp-mypolicy]

1.1.24 pki certificate attribute-group

Syntax

pki certificate attribute-group group-name

undo pki certificate attribute-group { group-name | all }

View

System view

Parameters

group-name: Name for the certificate attribute group, a case-insensitive string of 1 to 16 characters. It cannot be “a”, “al” or “all”.

all: Specifies all certificate attribute groups.

Description

Use the pki certificate attribute-group command to create a certificate attribute group and enter its view.

Use the undo pki certificate attribute-group command to delete one or all certificate attribute groups.

By default, no certificate attribute group exists.

Examples

# Create a certificate attribute group named mygroup and enter its view.

<Sysname> system-view

[Sysname] pki certificate attribute-group mygroup

[Sysname-pki-cert-attribute-group-mygroup]

1.1.25 pki delete-certificate

Syntax

pki delete-certificate { ca | local } domain domain-name

View

System view

Parameters

ca: Deletes the locally stored CA certificate.

local: Deletes the locally stored local certificate.

domain-name: Name of the PKI domain whose certificates are to be deleted, a string of 1 to 15 characters.

Description

Use the pki delete-certificate command to delete locally stored certificates.

Examples

# Delete the local certificate for PKI domain cer.

<Sysname> system-view

[Sysname] pki delete-certificate local domain cer

1.1.26 pki domain

Syntax

pki domain domain-name

undo pki domain domain-name

View

System view

Parameters

domain-name: PKI domain name, a case-insensitive string of 1 to 15 characters.

Description

Use the pki domain command to create a PKI domain and enter PKI domain view or enter the view of an existing PKI domain.

Use the undo pki domain command to remove a PKI domain.

By default, no PKI domain exists.

Examples

# Create a PKI domain and enter its view.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1]

1.1.27 pki entity

Syntax

pki entity entity-name

undo pki entity entity-name

View

System view

Parameters

entity-name: Name for the entity, a case-insensitive string of 1 to 15 characters.

Description

Use the pki entity command to create a PKI entity and enter PKI entity view.

Use the undo pki entity command to remove a PKI entity.

By default, no entity exists.

You can configure a variety of attributes for an entity in PKI entity view. An entity is intended only for convenience of reference by other commands.

Examples

# Create a PKI entity named en and enter its view.

<Sysname> system-view

[Sysname] pki entity en

[Sysname-pki-entity-en]

1.1.28 pki import-certificate

Syntax

pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ]

View

System view

Parameters

ca: Specifies a CA certificate.

local: Specifies a local certificate.

domain-name: Name of the PKI domain, a string of 1 to 15 characters.

der: Specifies the certificate format of DER.

p12: Specifies the certificate format of P12.

pem: Specifies the certificate format of PEM.

filename: Name of the certificate file, a case-insensitive string of 1 to 127 characters. It defaults to domain-name_ca.cer or domain-name_local.cer, the name for the file to be created to save the imported certificate.

Description

Use the pki import-certificate command to import a CA certificate or local certificate from a file and save it locally.

Related commands: pki domain.

Examples

# Import the CA certificate for PKI domain cer in the format of PEM.

<Sysnam> system-view

[Sysname] pki import-certificate ca domain cer pem

1.1.29 pki request-certificate domain

Syntax

pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ]

View

System view

Parameters

domain-name: Name of the PKI domain name, a string of 1 to 15 characters.

password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters.

pkcs10: Displays the BASE64-encoded PKCS#10 certificate request.

filename: Name of the file for saving the PKCS#10 certificate request, a case-insensitive string of 1 to 127 characters.

Description

Use the pki request-certificate domain command to request a local certificate from a CA through SCEP. If SCEP fails, you can use the pkcs10 keyword to save the local certificate request in BASE64 format and send it to the CA by an out-of-band means like phone, disk or e-mail.

This operation will not be saved in the configuration file.

Related commands: pki domain.

Examples

# Display the PKCS#10 certificate request information.

<Sysnam> system-view

[Sysname] pki request-certificate domain 1 pkcs10

1.1.30 pki retrieval-certificate

Syntax

pki retrieval-certificate { ca | local } domain domain-name

View

System view

Parameters

ca: Downloads a CA certificate.

local: Downloads a local certificate.

domain-name: Name of the PKI domain used for certificate request.

Description

Use the pki retrieval-certificate command to retrieve a certificate from the server for certificate distribution.

Related commands: pki domain.

Examples

# Retrieve the CA certificate from the certificate issuing server.

<Sysnam> system-view

[Sysname] pki retrieval-certificate ca domain 1

1.1.31 pki retrieval-crl domain

Syntax

pki retrieval-crl domain domain-name

View

System view

Parameters

domain-name: Name of the PKI domain, a string of 1 to 15 characters.

Description

Use the pki retrieval-crl command to retrieve the latest CRLs from the server for CRL distribution.

CRLs are used to validate certificates.

Related commands: pki domain.

Examples

# Retrieve CRLs.

<Sysnam> system-view

[Sysname] pki retrieval-crl domain 1

1.1.32 pki validate-certificate

Syntax

pki validate-certificate { ca | local } domain domain-name

View

System view

Parameters

ca: Validates the CA certificate.

local: Validates the local certificate.

domain-name: Name of the PKI domain the certificate to be validated is for, a string of 1 to 15 characters.

Description

Use the pki validate-certificate command to verify the validity of a certificate.

The focus of certificate validity verification is to check that the certificate is signed by the CA and that the certificate has neither expired nor been revoked.

Related commands: pki domain.

Examples

# Verify the validity of the local certificate.

<Sysnam> system-view

[Sysname] pki validate-certificate domain 1

1.1.33 root-certificate fingerprint

Syntax

root-certificate fingerprint { md5 | sha1 } string

undo root-certificate fingerprint

View

PKI domain view

Parameters

md5: Uses an MD5 fingerprint.

sha1: Uses a SHA1 fingerprint.

string: Fingerprint to be used. An MD5 fingerprint must be a string of 32 characters in hexadecimal. A SHA1 fingerprint must be a string of 40 characters in hexadecimal.

Description

Use the root-certificate fingerprint command to configure the fingerprint to be used for validating the CA root certificate.

Use the undo root-certificate fingerprint command to remove the configuration.

By default, no fingerprint is configured for validating the CA root certificate.

Examples

# Configure an MD5 fingerprint for validating the CA root certificate.

<Sysname> system-view

[Sysname] pki domain 1

[Sysname-pki-domain-1] root-certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E

# Configure a SHA1 fingerprint for validating the CA root certificate.

[Sysname-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93

1.1.34 rule

Syntax

rule [ id ] { deny | permit } group-name

undo rule { id | all }

View

Access control policy view

Parameters

id: Number of the certificate attribute access control rule, in the range 1 to 16. The default is the smallest unused number in this range.

deny: Indicates that a certificate matching an attribute rule in the specified attribute group is considered invalid and denied.

permit: Indicates that a certificate matching an attribute rule in the specified attribute group is considered valid and permitted.

group-name: Name of the certificate attribute group to be associated with the rule, a case-insensitive string of 1 to 16 characters. It cannot be “a”, “al” or “all”.

all: Specifies all access control rules.

Description

Use the rule command to create a certificate attribute access control rule.

Use the undo rule command to delete a specified or all access control rules.

By default, no access control rule exists.

Note that a certificate attribute group must exist to be associated with a rule.

Examples

# Create an access control rule, specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group mygroup.

<Sysname> system-view

[Sysname] pki certificate access-control-policy mypolicy

[Sysname -pki-cert-acp-mypolicy] rule 1 permit mygroup

1.1.35 state

Syntax

state state-name

undo state

View

PKI entity view

Parameters

state-name: State or province name, a case-insensitive string of 1 to 31 characters. No comma can be included.

Description

Use the state command to specify the name of the state or province where an entity resides.

Use the undo state command to remove the configuration.

By default, no state or province is specified.

Examples

# Specify the state where an entity resides.

<Sysname> system-view

[Sysname] pki entity 1

[Sysname-pki-entity-1] state Country

H3C S5500-EI Series Switches Command Manual-Release 2102(V1.01)

1.1 PKI Configuration Commands

1.1.5 certificate request mode

1.1.13 display pki certificate

1.1.16 display pki crl domain

1.1.29 pki request-certificate domain

1.1.31 pki retrieval-crl domain

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us