Configuring a certificate access control policy – H3C Technologies H3C S6300 Series Switches User Manual

196

Configuring a certificate access control policy

You can configure a certificate access control policy on a server to control user access, securing the
server. For example, in an HTTPS application, you can configure a certificate access control policy on an

HTTPS server to verify the validity of client certificates.
A certificate access control policy is a set of certificate access control rules (permit or deny statements),

each associating with a certificate attribute group. A certificate attribute group contains multiple attribute
rules, each defining a matching criterion for the issuer name, subject name, or alternative subject names

of the certificate. A certificate matches a statement if it matches all attribute rules in the certificate

attribute group that associates with the statement.
A certificate matches the statements in a policy by sequence number in ascending order. When a match
is found, the match process stops, and access control is performed based on the certificate verification

result.
The following describes how a certificate access control policy verifies the validity of a certificate:

•

If a certificate matches a permit statement, the certificate passes the verification.

•

If a certificate matches a deny statement or does not match any statements in the policy, the
certificate is regarded invalid.

•

If a statement associates with a non-existing attribute group, or the attribute group is configured
without any attribute rules, the certificate matches the statement.

•

If the certificate access control policy referenced by a security application (for example, HTTPS)

does not exist, all certificates in the application pass the verification.

To configure a certificate access control policy:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create a certificate attribute
group and enter its view.

pki certificate attribute-group
group-name

By default, no certificate attribute
group exists.

3.

(Optional.) Configure an
attribute rule for issuer name,

subject name, or alternative

subject name.

attribute id { alt-subject-name
{ fqdn | ip } | { issuer-name |

subject-name } { dn | fqdn | ip } }

{ ctn | equ | nctn | nequ}
attribute-value

By default, not attribute rule is
configured.

4.

Return to system view.

quit

N/A

5.

Create a certificate access
control policy and enter its

view.

pki certificate access-control-policy
policy-name

By default, no certificate access
control policy exists.

6.

Create a certificate access

control rule (or statement).

rule [ id ] { deny | permit }
group-name

By default, no statement is
configured, and all certificates can

pass the verification.
You can create multiple statements
for a certificate access control

policy.