66 
Requesting certificates 
To request a certificate, a PKI entity must provide its identity information and public key to a CA.  
You can first generate the certificate request on the device, and then send the request to the CA by 
using an out-of-band method such as phone and email. 
Before you submit a certificate request, make sure the CA certificate exists in the PKI domain and a 
key pair is specified for the PKI domain. 
•  The CA certificate is used to verify the authenticity and validity of the obtained local certificate. 
•  The key pair is used for certificate request. Upon receiving the public key and the identity 
information, the CA signs and issues a certificate. 
When generating the certificate request, the system automatically creates a key pair if the key pair 
specified in the PKI domain does not exist. The name, algorithm, and length of the key pair are 
configured in the PKI domain. 
Certificate access control 
Certificate access control policies 
Certificate access control policies allow you to authorize access to a device (for example, an HTTPS 
server) based on the attributes of an authenticated client's certificate.  
A certificate access control policy is a set of access control rules (permit or deny statements). Each 
access control rule associates an action with an attribute group. 
• Action—Determines whether a certificate is considered valid (Permit) or invalid (Deny). 
• Attribute group—Contains multiple attribute rules, each defining a matching criterion for an 
attribute in the certificate issuer name, subject name, or alternative subject name field.  
If a certificate matches all attribute rules in a certificate attribute group associated with an access 
control rule, the system determines that the certificate matches the access control rule. In this 
scenario, the match process stops, and the system performs the access control action defined in the 
access control rule.  
The following conditions describe how a certificate access control policy verifies the validity of a 
certificate: 
•  The system matches a certificate with the access control rules (statements) in a policy in 
ascending order of the rule ID. 
•  If a certificate matches a permit statement, the certificate passes the verification. 
•  If a certificate matches a deny statement or does not match any statements in the policy, the 
certificate is regarded invalid. 
•  If a statement is associated with a non-existing attribute group, or the attribute group does not 
have attribute rules, the certificate matches the statement.  
•  If the certificate access control policy referenced by a security application (for example, HTTPS) 
does not exist, all certificates in the application pass the verification. 
Attribute groups 
A certificate attribute group contains multiple attribute rules, each defining a matching criterion for an 
attribute in the certificate issuer name, subject name, or alternative subject name field.  
An attribute rule is a combination of an attribute-value pair with an operation keyword, as listed 
in Table 18.