R3303-HP HSR6800 Routers Security Command Reference

263

# Configure a SHA1 fingerprint for verifying the validity of the CA root certificate.

[Sysname-pki-domain-1] root-certificate fingerprint sha1

D1526110AAD7527FB093ED7FC037B0B3CDDDAD93

rule (PKI CERT ACP view)

Use rule to create a certificate attribute access control rule.

Use undo rule to delete one or all access control rules.

Syntax

rule [ id ] { deny | permit } group-name

undo rule { id | all }

Default

No access control rule exists.

Views

PKI certificate access control policy view

Default command level

2: System level

Parameters

id: Specifies the ID of the certificate attribute access control rule. The value range is 1 to 16, and the

default is the smallest unused number in this range.

deny: Indicates that a certificate whose attributes match an attribute rule in the specified attribute group

is considered invalid and denied.

permit: Indicates that a certificate whose attributes match an attribute rule in the specified attribute group

is considered valid and permitted.

group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 16

characters. It cannot be a, al, or all.

all: Specifies all access control rules.

Usage guidelines

A certificate attribute group must exist to be associated with a rule.

Examples

# Create an access control rule, specifying that a certificate is considered valid when it matches an

attribute rule in the certificate attribute group mygroup.

<Sysname> system-view

[Sysname] pki certificate access-control-policy mypolicy

[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup

state

Use state to specify the name of the state or province where an entity resides.

Use undo state to remove the configuration.