H3C Technologies H3C WX6000 Series Access Controllers User Manual

67-5

[AC-pki-domain-1] certificate request entity en

[AC-pki-domain-1] quit

# Generate a key pair locally by using the RSA algorithm.

[AC] public-key local create rsa

# Obtain a server certificate from CA.

[AC] pki retrieval-certificate ca domain 1

# Apply for a local certificate.

[AC] pki request-certificate domain 1

2) Configure an SSL server policy associated with the HTTPS service

# Configure SSL server policy.

[AC] ssl server-policy myssl

[AC-ssl-server-policy-myssl] pki-domain 1

[AC-ssl-server-policy-myssl] client-verify enable

[AC-ssl-server-policy-myssl] quit

3) Configure

certificate access control policy

# Configure certificate attribute group.

[AC] pki certificate attribute-group mygroup1

[AC-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca

[AC-pki-cert-attribute-group-mygroup1] quit

# Configure certificate access control policy myacp and create a control rule.

[AC] pki certificate access-control-policy myacp

[AC-pki-cert-acp-myacp] rule 1 permit mygroup1

[AC-pki-cert-acp-myacp] quit

4) Reference an SSL server policy

# Associate the HTTPS service with the SSL server policy myssl.

[AC] ip https ssl-server-policy myssl

5) Associate the HTTPS service with a certificate attribute access control policy

# Associate the HTTPS service with a certificate attribute access control policy myacp.

[AC] ip https certificate access-control-policy myacp

6) Enable the HTTPS service

# Enable the HTTPS service.

[AC] ip https enable

7) Verify the configuration

Launch the IE explorer on Host, and enter https://10.1.1.1. You can log onto AC and control it.

z

For details of PKI commands, refer to PKI in H3C WX6103 Access Controller Switch Interface

Board Command Reference

.

z

For details of the public-key local create rsa command, refer to SSH in H3C WX6103 Access

Controller Switch Interface Board Command Reference

.