293
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] root-certificate fingerprint sha1
D1526110AAD7527FB093ED7FC037B0B3CDDDAD93
Related commands
• certificate request mode
• pki import
• pki retrieve-certificate
rule
Use rule to create a rule (or statement).
Use undo rule to remove a statement.
Syntax
rule [ id ] { deny | permit } group-name
undo rule id
Default
No statement exists.
Views
PKI certificate access control policy view
Predefined user roles
network-admin
Parameters
id: Assigns a number to the statement, in the range of 1 to 16. The default setting is the smallest unused
number in this range. Rules in a policy are sorted in ascending order and a rule with a smaller number
is compared first.
deny: Denies the certificates that match the associated certificate group.
permit: Permits the certificates that match the associated certificate group.
group-name: Specifies a certificate attribute group, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can associate a nonexistent certificate attribute group when you create a statement. Later you can
use the pki certificate attribute-group command to create the certificate attribute group.
If the associated certificate attribute group does not exist, or the group has no attribute rules (set by the
attribute command), any certificates can match the statement.
The statements in a policy are sorted in ascending order. When a certificate matches a statement, the
match process stops, and access control is performed based on the certificate verification result.
Examples
# Create a permit statement, and associate the statement with the certificate attribute group mygroup.
<Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
To Next Page
Loading...
Need help?
General
