13-6
[Device-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll
[Device-pki-domain-1] certificate request from ra
[Device-pki-domain-1] certificate request entity en
[Device-pki-domain-1] quit
# Generate a local RSA key pair.
[Device] public-key local create rsa
# Retrieve a CA certificate.
[Device] pki retrieval-certificate ca domain 1
# Request a local certificate for Device.
[Device] pki request-certificate domain 1
# Configure an SSL server policy myssl, specify PKI domain 1 for it, and enable the SSL server to
perform certificate-based authentication of the client.
[Device] ssl server-policy myssl
[Device-ssl-server-policy-myssl] pki-domain 1
[Device-ssl-server-policy-myssl] client-verify enable
[Device-ssl-server-policy-myssl] quit
# Configure certificate attribute group mygroup1, and configure the attribute rules, specifying that the
Distinguished Name (DN) in the issuer name includes new-ca.
[Device] pki certificate attribute-group mygroup1
[Device-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca
[Device-pki-cert-attribute-group-mygroup1] quit
# Create certificate access control policy myacp and create a control rule, specifying that a certificate is
considered valid when it matches the attribute rule in certificate attribute group mygroup.
[Device] pki certificate access-control-policy myacp
[Device-pki-cert-acp-myacp] rule 1 permit mygroup1
[Device-pki-cert-acp-myacp] quit
# Associate the HTTPS service with the SSL server policy myssl.
[Device] ip https ssl-server-policy myssl
# Associate the HTTPS service with certificate attribute access control policy myacp, ensuring that only
HTTPS clients retrieving a certificate from new-ca can access the HTTPS server.
[Device] ip https certificate access-control-policy myacp
# Enable the HTTPS service.
[Device] ip https enable
# Create a local user usera, set the password to 123, and service type to telnet.
[Device] local-user usera
[Device-luser-usera] password simple 123
[Device-luser-usera] service-type telnet
2) Configure the HTTPS client Host
Open the IE on Host, type http://10.1.2.2/certsrv, and request a certificate for Host as prompted.
3) Verify the configuration
Open the IE explorer on Host, enter https://10.1.1.1, select the certificate issued by new-ca for Host,
and then you can log in to Device. On the login page, type username usera, and password 123, and
then you can enter the Web configuration page of Device to access and control it.
To Next Page
Loading...
Need help?
General
