229
A certificate-based access control policy is a set of access control rules (permit or deny statements), each
associated with a certificate attribute group. A certificate attribute group contains multiple attribute rules,
each defining a matching criterion for an attribute in the certificate issuer name, subject name, or
alternative subject name field.
If a certificate matches all attribute rules in a certificate attribute group associated with an access control
rule, the system determines that the certificate matches the access control rule. In this scenario, the match
process stops, and the system performs the access control action defined in the access control rule.
The following conditions describe how a certificate-based access control policy verifies the validity of a
certificate:
• If a certificate matches a permit statement, the certificate passes the verification.
• If a certificate matches a deny statement or does not match any statements in the policy, the
certificate is regarded invalid.
• If a statement is associated with a non-existing attribute group, or the attribute group does not have
attribute rules, the certificate matches the statement.
• If the certificate-based access control policy referenced by a security application (for example,
HTTPS) does not exist, all certificates in the application pass the verification.
To configure a certificate-based access control policy:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Create a certificate attribute
group and enter its view.
pki certificate attribute-group
group-name
By default, no certificate attribute
groups exist.
3. (Optional.) Configure an
attribute rule for issuer name,
subject name, or alternative
subject name.
attribute id { alt-subject-name
{ fqdn | ip } | { issuer-name |
subject-name } { dn | fqdn | ip } }
{ ctn | equ | nctn | nequ}
attribute-value
By default, not attribute rules are
configured.
4. Return to system view.
quit N/A
5. Create a certificate-based
access control policy and
enter its view.
pki certificate access-control-policy
policy-name
By default, no certificate-based
access control policy exists.
6. Create a certificate access
control rule.
rule [ id ] { deny | permit }
group-name
By default, no certificate access
control rules are configured, and
all certificates can pass the
verification.
You can create multiple access
control rules are for a
certificate-based access control
policy.
Displaying and maintaining PKI
Execute display commands in any view.
To Next Page
Loading...
Need help?
General