289
# Define a statement to permit the certificates that match the attribute rules in certificate
attribute group mygroup2.
[Device-pki-cert-acp-myacp] rule 2 permit mygroup2
[Device-pki-cert-acp-myacp] quit
Verifying the configuration
# On the host, access the HTTPS server through a Web browser.
The server first verifies the validity of the host's certificate according to the configured
certificate-based access control policy. In the host's certificate, the subject DN is aabbcc, the IP
address of the certificate issuer is 1.1.1.1, and the FQDN of the alternative subject name is banaba.
The host's certificate does not match certificate attribute group mygroup1 specified in rule 1 of the
certificate-based access control policy. The certificate continues to match against rule 2.
The host's certificate matches certificate attribute group mygroup2 specified in rule 2. Because rule
2 is a permit statement, the certificate passes the verification and the host can access the HTTPS
server.
Certificate import and export configuration example
Network requirements
As shown in Figure 88, Device B will replace Device A in the network. PKI domain exportdomain on
Device A has two local certificates containing the private key and one CA certificate. To make sure
the certificates are still valid after Device B replaces Device A, copy the certificates on Device A to
Device B as follows:
1. Export the certificates in PKI domain exportdomain on Device A to .pem certificate files.
During the export, encrypt the private key in the local certificates using 3DES_CBC with the
password 11111.
2. Transfer the certificate files from Device A to Device B through the FTP host.
3. Import the certificate files to PKI domain importdomain on Device B.
Figure 88 Network diagram
Configuration procedure
1. Export the certificates on Device A:
# Export the CA certificate to a .pem file.
<DeviceA> system-view
[DeviceA] pki export domain exportdomain pem ca filename pkicachain.pem
# Export the local certificate to a file named pkilocal.pem in PEM format, and use 3DES_CBC
to encrypt the private key with the password 111111.
[DeviceA] pki export domain exportdomain pem local 3des-cbc 111111 filename
pkilocal.pem
To Next Page
Loading...
Need help?
General