Deleting a certificate, Configuring an access control policy, 11 configuring an access control policy – H3C Technologies H3C WX6000 Series Access Controllers User Manual

68-11

To do…

Use the command…

Remarks

Enter system view

system-view

—

Destroy a local RSA key pair

public-key local destroy

rsa Required

For details about the public-key local destroy rsa command, refer to SSH in H3C WX6103 Access

Controller Switch Interface Board Command Reference

.

Deleting a Certificate

When a certificate requested manually is about to expire or you want to request a new certificate, you
can delete the current local certificate or CA certificate.

Follow these steps to delete a certificate:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Delete certificates

pki delete-certificate

{ ca | local } domain

domain

-name

Required

Configuring an Access Control Policy

By configuring a certificate attribute-based access control policy, you can further control access to the
server, providing additional security for the server.

Follow these steps to configure a certificate attribute-based access control policy:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Create a certificate attribute group
and enter its view

pki certificate attribute-group
group-name

Required
No certificate attribute group exists
by default.

Configure an attribute rule for the
certificate issuer name, certificate
subject name, or alternative
subject name

attribute

id { alt-subject-name

{ fqdn | ip } | { issuer-name |
subject-name

} { dn | fqdn | ip } }

{ ctn | equ | nctn | nequ}
attribute-value

Optional
There is no restriction on the issuer
name, certificate subject name and
alternative subject name by
default.

Return to system view

quit

—

Create a certificate attribute-based
access control policy and enter its
view

pki certificate
access-control-policy

policy-name

Required
No access control policy exists by
default.

Configure a certificate
attribute-based access control rule

rule

[ id ] { deny | permit }

group-name

Required
No access control rule exists by
default.