254
Removing a certificate
You can remove the CA certificate, local certificate, or peer certificates in a PKI domain. After you
remove the CA certificate, the system automatically removes the local certificates, peer certificates,
and CRLs in the domain.
You can remove a local certificate and request a new one when the local certificate is about to expire
or the certificate's private key is compromised. To remove a local certificate and request a new
certificate, perform the following tasks:
1.
Remove the local certificate.
2.
Use the
public-key local destroy
command
to destroy the existing local key pair.
3.
Use the
public-key local create
command to generate a new key pair.
4.
Request a new certificate.
To remove a certificate:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Remove a certificate.
pki delete-certificate
domain
domain
-
name
{
ca
|
local
|
peer
[
serial
serial-num
] }
If you use the
peer
keyword without
specifying a serial
number, the command
removes all peer
certificates.
Configuring a certificate-based access control
policy
Certificate-based access control policies allow you to authorize access to a device (for example, an
HTTPS server) based on the attributes of an authenticated client's certificate.
A certificate-based access control policy is a set of access control rules (permit or deny statements),
each associated with a certificate attribute group. A certificate attribute group contains multiple
attribute rules, each defining a matching criterion for an attribute in the certificate issuer name,
subject name, or alternative subject name field.
If a certificate matches all attribute rules in a certificate attribute group associated with an access
control rule, the system determines that the certificate matches the access control rule. In this
scenario, the match process stops, and the system performs the access control action defined in the
access control rule.
The following conditions describe how a certificate-based access control policy verifies the validity of
a certificate:
•
If a certificate matches a permit statement, the certificate passes the verification.
•
If a certificate matches a deny statement or does not match any statements in the policy, the
certificate is regarded invalid.
•
If a statement is associated with a non-existing attribute group, or the attribute group does not
have attribute rules, the certificate matches the statement.
•
If the certificate-based access control policy referenced by a security application (for example,
HTTPS) does not exist, all certificates in the application pass the verification.
To configure a certificate-based access control policy:
Summary of Contents for 10500 series
Page 326: ...312 No duration limit for this SA ...