H3C Technologies H3C S5120 Series Switches User Manual

Page 704

Advertising
background image

2-6

# Generate a local RSA key pair.

[Device] public-key local create rsa

# Retrieve a CA certificate.

[Device] pki retrieval-certificate ca domain 1

# Request a local certificate for Device.

[Device] pki request-certificate domain 1

# Configure an SSL server policy myssl, specify PKI domain 1 for it, and enable the SSL server to

perform certificate-based authentication of the client.

[Device] ssl server-policy myssl

[Device-ssl-server-policy-myssl] pki-domain 1

[Device-ssl-server-policy-myssl] client-verify enable

[Device-ssl-server-policy-myssl] quit

# Configure certificate attribute group mygroup1, and configure the attribute rules, and specify that the

Distinguished Name (DN) in the issuer name includes new-ca.

[Device] pki certificate attribute-group mygroup1

[Device-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca

[Device-pki-cert-attribute-group-mygroup1] quit

# Create certificate access control policy myacp and create a control rule, specifying that a certificate is

considered valid when it matches an attribute rule in certificate attribute group mygroup.

[Device] pki certificate access-control-policy myacp

[Device-pki-cert-acp-myacp] rule 1 permit mygroup1

[Device-pki-cert-acp-myacp] quit

# Associate the HTTPS service with the SSL server policy myssl.

[Device] ip https ssl-server-policy myssl

# Associate the HTTPS service with certificate attribute access control policy myacp, ensuring that only

HTTPS clients retrieving a certificate from new-ca can access the HTTPS server.

[Device] ip https certificate access-control-policy myacp

# Enable the HTTPS service.

[Device] ip https enable

# Create a local user usera, set the password to 123, and service type to telnet.

[Device] local-user usera

[Device-luser-usera] password simple 123

[Device-luser-usera] service-type telnet

2) Configure the HTTPS client Host

Open the IE on Host, type http://10.1.2.2/certsrv, and request a certificate for Host as prompted.

3) Verify the configuration

Open the IE explorer on Host, enter https://10.1.1.1, select new-ca as the certificate for Host, and then

you can log in to Device. On the login page, type username usera, and password 123, and then you can

enter the Web configuration page of Device to access and control it.

Advertising
Popular Brands
Popular manuals