Procedure

  1. Enter system view.

    system-view

  2. Create a certificate attribute group and enter its view.

    pki certificate attribute-group group-name

  3. Configure an attribute rule for issuer name, subject name, or alternative subject name.

    attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ} attribute-value

    By default, not attribute rules are configured.

  4. Return to system view.

    quit

  5. Create a certificate-based access control policy and enter its view.

    pki certificate access-control-policy policy-name

    By default, no certificate-based access control policies exist.

  6. Create a certificate access control rule.

    rule [ id ] { deny | permit } group-name

    By default, no certificate access control rules are configured, and all certificates can pass the verification.

    You can create multiple certificate access control rules for a certificate-based access control policy.