Operation Manual – PKI
H3C S3610&S5510 Series Ethernet Switches
Chapter 1 PKI Configuration
1-21
# Create the certificate attribute-based access control policy of myacp and add two
access control rules.
[Switch] pki certificate access-control-policy myacp
[Switch-pki-cert-acp-myacp] rule 1 deny mygroup1
[Switch-pki-cert-acp-myacp] rule 2 permit mygroup2
[Switch-pki-cert-acp-myacp] quit
4)
Apply the SSL server policy and certificate attribute-based access control policy to
HTTPS service and enable HTTPS service.
# Apply SSL server policy myssl to HTTPS service.
[Switch] ip https ssl-server-policy myssl
# Apply the certificate attribute-based access control policy of myacp to HTTPS
service.
[Switch] ip https certificate access-control-policy myacp
# Enable HTTPS service.
[Switch] ip https enable
1.13 Troubleshooting PKI
1.13.1 Failed to Retrieve a CA Certificate
I. Symptom
Failed to retrieve a CA certificate.
II. Analysis
Possible reasons include these:
z
The network connection is not proper. For example, the network cable may be
damaged or loose.
z
No trusted CA is specified.
z
The URL of the enrollment server for certificate request is not correct or not
configured.
z
No RA is specified.
z
The system clock of the device is not synchronized with that of the CA.
III. Solution
z
Make sure that the network connection is physically proper.
z
Check that the required commands are configured properly.
z
Use the
ping
command to check that the RA server is reachable.
z
Configures the RA for certificate request.
z
Synchronize the system clock of the device with that of the CA.