229
Deleting a certificate
When a certificate requested manually is about to expire or when you want to request a new certificate,
delete the current local certificate or CA certificate.
To do…
Command…
Remarks
1.
Enter system view.
system-view
—
2.
Delete certificates.
pki delete-certificate
{
ca
|
local
}
domain
domain
-
name
Required
Configuring an access control policy
By configuring a certificate attribute-based access control policy, further control access to the server,
providing additional security for the server.
To configure a certificate attribute-based access control policy:
To do…
Command…
Remarks
1.
Enter system view.
system-view
—
2.
Create a certificate attribute
group and enter its view.
pki certificate attribute-group
group-name
Required.
No certificate attribute group
exists by default.
3.
Configure an attribute rule for
the certificate issuer name,
certificate subject name, or
alternative subject name.
attribute
id
{
alt-subject-name
{
fqdn
|
ip
} | {
issuer-name
|
subject-name
} {
dn
|
fqdn
|
ip
} }
{
ctn
|
equ
|
nctn
|
nequ
}
attribute-value
Optional.
No restriction exists on the issuer
name, certificate subject name,
and alternative subject name by
default.
4.
Return to system view.
quit
—
5.
Create a certificate attribute-
based access control policy
and enter its view.
pki certificate access-control-policy
policy-name
Required.
No access control policy exists by
default.
6.
Configure a certificate
attribute-based access control
rule.
rule
[
id
] {
deny
|
permit
}
group-
name
Required.
No access control rule exists by
default.
A certificate attribute group must
exist to be associated with a rule.
