Procedure
Enter system view.
system-view
Create a certificate attribute group and enter its view.
pki certificate attribute-group group-name
Configure an attribute rule for issuer name, subject name, or alternative subject name.
attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ} attribute-value
By default, not attribute rules are configured.
Return to system view.
quit
Create a certificate-based access control policy and enter its view.
pki certificate access-control-policy policy-name
By default, no certificate-based access control policies exist.
Create a certificate access control rule.
rule [ id ] { deny | permit } group-name
By default, no certificate access control rules are configured, and all certificates can pass the verification.
You can create multiple certificate access control rules for a certificate-based access control policy.