R0106-HP MSR Router Series Security Configuration Guide(V7)
216
A certificate access control policy is a set of certificate access control rules (permit or deny statements),
each associating with a certificate attribute group. A certificate attribute group contains multiple attribute
rules, each defining a matching criterion for the issuer name, subject name, or alternative subject names
of the certificate. A certificate matches a statement if it matches all attribute rules in the certificate
attribute group used in the statement.
A certificate matches the statements in a policy by sequence number in ascending order. When a match
is found, the match process stops, and access control is performed based on the certificate verification
result.
The following conditions describe how a certificate access control policy verifies the validity of a
certificate:
• If a certificate matches a permit statement, the certificate passes the verification.
• If a certificate matches a deny statement or does not match any statements in the policy, the
certificate is regarded invalid.
• If a statement is associated with a non-existing attribute group, or the attribute group is configured
without any attribute rules, the certificate matches the statement.
• If the certificate access control policy referenced by a security application (for example, HTTPS)
does not exist, all certificates in the application pass the verification.
To configure a certificate access control policy:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create a certificate attribute
group and enter its view.
pki certificate attribute-group
group-name
By default, no certificate attribute
group exists.
3. (Optional.) Configure an
attribute rule for issuer name,
subject name, or alternative
subject name.
attribute id { alt-subject-name
{ fqdn | ip } | { issuer-name |
subject-name } { dn | fqdn | ip } }
{ ctn | equ | nctn | nequ}
attribute-value
By default, not attribute rule is
configured.
4. Return to system view.
quit N/A
5. Create a certificate access
control policy and enter its
view.
pki certificate access-control-policy
policy-name
By default, no certificate access
control policy exists.
6. Create a certificate access
control rule (or statement).
rule [ id ] { deny | permit }
group-name
By default, no statement is
configured, and all certificates can
pass the verification.
You can create multiple statements
for a certificate access control
policy.
Displaying and maintaining PKI
Execute display commands in any view.
Task Command
Display the contents of a certificate.
display pki certificate domain domain-name { ca | local | peer
[ serial serial-num ] }