To Next Page

To Previous Page

452

• The subject name field and the issuer name field can contain a single DN, multiple FQDNs, and

multiple IP addresses.

• The alternative subject name field can contain multiple FQDNs and IP addresses but zero DNs.

An attribute rule is a combination of an attribute-value pair with an operation keyword, as listed in

Table 57.

Table 57 Combinations of attribute-value pairs and operation keywords

Operation

FQDN/IP

ctn

The DN contains the specified

attribute value.

Any FQDN or IP address contains the specified attribute

value.

nctn

The DN does not contain the

specified attribute value.

None of the FQDNs or IP addresses contain the specified

attribute value.

equ

The DN is the same as the

specified attribute value.

Any FQDN or IP address is the same as the specified

attribute value.

nequ

The DN is not the same as the

specified attribute value.

None of the FQDNs or IP addresses are the same as the

specified attribute value.

A certificate matches an attribute rule if it contains an attribute that matches the criterion defined in

the rule. For example, a certificate matches the attribute 1 subject-name dn ctn abc rule if it meets

the following conditions:

• The subject name field of the certificate contains the DN attribute.

• The DN attribute value contains the abc string.

A certificate matches an attribute group if it matches all attribute rules in the group.

Examples

# Create a certificate attribute group and enter its view.

<Sysname> system-view

[Sysname] pki certificate attribute-group mygroup

# Specify an attribute rule to match certificates that contain the abc string in the subject DN.

[Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc

# Specify an attribute rule to match certificates that do not contain FQDN abc in the issuer name

field.

[Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc

# Specify an attribute rule to match certificates that do not contain IP address 10.0.0.1 in the

alternative subject name field.

[Sysname-pki-cert-attribute-group-mygroup] attribute 3 alt-subject-name ip nequ 10.0.0.1

Related commands

display pki certificate attribute-group

rule

ca identifier

Use ca identifier to specify the trusted CA.

Use undo ca identifier to restore the default.

Syntax

ca identifier name

undo ca identifier

Other manuals for H3C MSR Series

Manual33 pages

Probe Command Reference28 pages

Configuration Guide80 pages

Troubleshooting Guide28 pages

User Guide26 pages

Questions and Answers:

Need help?

Do you have a question about the H3C MSR Series and is the answer not in the manual?

H3C MSR Series Specifications

General

Category	Network Router
IPv6 Support	Yes
Dimensions	Varies by model
Weight	Varies by model
Product Type	Modular Router
Ports	Varies by model
WAN Interfaces	Varies by model
Firewall	Yes
QoS	Yes
Wireless Support	Varies by model
USB Ports	Varies by model
Console Port	Yes
Power Supply	Varies by model
Redundancy	Varies by model
Operating Temperature	0°C to 45°C
Storage Temperature	-40°C to 70°C
Humidity	5% to 95% non-condensing
Series	MSR
Certifications	CE, FCC, RoHS