beautypg.com

H3C Technologies H3C SecPath F1000-E User Manual

Page 281

background image

6

[Device] pki retrieval-certificate ca domain 1

# Request a local certificate for Device.

[Device] pki request-certificate domain 1

# Configure an SSL server policy myssl, specify PKI domain 1 for it, and enable the SSL server to
perform certificate-based authentication of the client.

[Device] ssl server-policy myssl

[Device-ssl-server-policy-myssl] pki-domain 1

[Device-ssl-server-policy-myssl] client-verify enable

[Device-ssl-server-policy-myssl] quit

# Configure certificate attribute group mygroup1, and configure the attribute rules, specifying that the
Distinguished Name (DN) in the issuer name includes new-ca.

[Device] pki certificate attribute-group mygroup1

[Device-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca

[Device-pki-cert-attribute-group-mygroup1] quit

# Create certificate access control policy myacp and create a control rule, specifying that a certificate
is considered valid when it matches the attribute rule in certificate attribute group mygroup.

[Device] pki certificate access-control-policy myacp

[Device-pki-cert-acp-myacp] rule 1 permit mygroup1

[Device-pki-cert-acp-myacp] quit

# Associate the HTTPS service with the SSL server policy myssl.

[Device] ip https ssl-server-policy myssl

# Associate the HTTPS service with certificate attribute access control policy myacp, ensuring that only
HTTPS clients retrieving a certificate from new-ca can access the HTTPS server.

[Device] ip https certificate access-control-policy myacp

# Enable the HTTPS service.

[Device] ip https enable

# Create a local user usera, set the password to 123, and service type to telnet.

[Device] local-user usera

[Device-luser-usera] password simple 123

[Device-luser-usera] service-type telnet

Step2

Configure the HTTPS client Host

Open the IE on Host, type http://10.1.2.2/certsrv, and request a certificate for Host as prompted.

Step3

Verify the configuration

Open the IE explorer on Host, enter https://10.1.1.1, select the certificate issued by new-ca for Host, and
then you can log in to Device. On the login page, type username usera, and password 123, and then
you can enter the Web configuration page of Device to access and control it.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: