R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

241

242

243

244

245

246

247

248

249

250

233

[Device-ssl-server-policy-abc] client-verify enable

[Device-ssl-server-policy-abc] quit

2. Configure the certificate attribute group:

# Create a certificate attribute group named mygroup1 and add two attribute rules. The first rule

defines that the DN in the subject DN contains the string of aabbcc, and the second rule defines

that the IP address of the certificate issuer is 10.0.0.1.

[Device] pki certificate attribute-group mygroup1

[Device-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc

[Device-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1

[Device-pki-cert-attribute-group-mygroup1] quit

# Create a certificate attribute group named mygroup2 and add two attribute rules. The first rule

defines that the FQDN in the alternative subject name does not contain the string of apple, and the

second rule defines that the DN of the certificate issuer name contains the string of aabbcc.

[Device] pki certificate attribute-group mygroup2

[Device-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn

apple

[Device-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc

[Device-pki-cert-attribute-group-mygroup2] quit

3. Configure a certificate access control policy:

# Create a certificate access control policy named myacp.

[Device] pki certificate access-control-policy myacp

# Define a statement to deny the certificates that match the attribute rules in the certificate attribute

group mygroup1.

[Device-pki-cert-acp-myacp] rule 1 deny mygroup1

# Define a statement to permit the certificates that match the attribute rules in the certificate

attribute group mygroup2.

[Device-pki-cert-acp-myacp] rule 2 permit mygroup2

[Device-pki-cert-acp-myacp] quit

Verifying the configuration

When the host accesses the HTTPS server through a browser, the server first verifies the validity of the

host's certificate according to the configured certificate access control policy. In the host's certificate, the

DN of the subject name is aabbcc, the IP address of the certificate issuer is 1.1.1.1, and the FQDN of the

alternative subject name is banaba.

The host's certificate does not match the certificate attribute group mygroup1 specified in rule 1 of the

certificate access control policy. The certificate continues to match against rule 2.

The host's certificate matches the certificate attribute group mygroup2 specified in rule 2. Because rule

2 is a permit statement, the certificate passes the verification and the host can access the HTTPS server.

Certificate import and export configuration example

Network requirements

Device B will replace Device A in the network. The PKI domain exportdomain on Device A has two local

certificates containing the private key and one CA certificate. To make sure the certificates are still valid

after Device B takes over Device A, copy the certificates on Device A to Device B and meet the following

requirements: