4000 Router Series Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR2003 AC Router

121

122

123

124

125

126

127

128

129

130

112

Removing a certificate

CAUTION:

hen you remove the CA certificate in a domain, the system also removes the local certificates, peer

certificates, and CRLs in the same PKI domain.

Each certificate issued by a CA has a validity period. If the certificate is about to expire or your private

key is compromised, do the following tasks:

1. Remove the local certificate.

2. Use public-key local destroy to destroy the existing local key pair.

3. Use public-key local create to generate a new key pair.

4. Request a new certificate.

To remove a certificate:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Remove a certificate.

pki delete-certificate domain domain-name { ca |

local | peer [ serial serial-num ] }

If no serial number is

specified, the command

removes all peer

certificates.

Configuring a certificate access control policy

You can configure a certificate access control policy on a server to control user access, securing the

server. For example, in an HTTPS application, you can configure a certificate access control policy on an

HTTPS server to verify the validity of client certificates.

A certificate access control policy is a set of certificate access control rules (permit or deny statements),

each associating with a certificate attribute group. A certificate attribute group contains multiple attribute

rules, each defining a matching criterion for the issuer name, subject name, or alternative subject names

of the certificate. A certificate matches a statement if it matches all attribute rules in the certificate

attribute group that associates with the statement.

A certificate matches the statements in a policy by sequence number in ascending order. When a match

is found, the match process stops, and access control is performed based on the certificate verification

result.

The following describes how a certificate access control policy verifies the validity of a certificate:

• If a certificate matches a permit statement, the certificate passes the verification.

• If a certificate matches a deny statement or does not match any statements in the policy, the

certificate is regarded invalid.

• If a statement associates with a non-existing attribute group, or the attribute group is configured

without any attribute rules, the certificate matches the statement.

• If the certificate access control policy referenced by a security application (for example, HTTPS)

does not exist, all certificates in the application pass the verification.