beautypg.com

Displaying and maintaining pki, Pki configuration examples, Certificate request from an rsa keon ca server – H3C Technologies H3C SecBlade LB Cards User Manual

Page 149

background image

138

Step Command

Remarks

2.

Create a certificate attribute
group and enter its view.

pki certificate attribute-group
group-name

No certificate attribute group
exists by default.

3.

Configure an attribute rule for
the certificate issuer name,

certificate subject name, or

alternative subject name.

attribute id { alt-subject-name
{ fqdn | ip } | { issuer-name |

subject-name } { dn | fqdn | ip } }

{ ctn | equ | nctn | nequ }
attribute-value

Optional.
No restriction exists on the issuer

name, certificate subject name
and alternative subject name by

default.

4.

Return to system view.

quit

N/A

5.

Create a certificate

attribute-based access control

policy and enter its view.

pki certificate access-control-policy

policy-name

No access control policy exists by

default.

6.

Configure a certificate
attribute-based access control

rule.

rule [ id ] { deny | permit }
group-name

No access control rule exists by
default.
A certificate attribute group must
exist to be associated with a rule.

Displaying and maintaining PKI

Task Command

Remarks

Display the contents or request
status of a certificate.

display pki certificate { { ca | local } domain
domain-name | request-status } [ | { begin |

exclude | include } regular-expression ]

Available in any view.

Display CRLs.

display pki crl domain domain-name [ | { begin
| exclude | include } regular-expression ]

Available in any view.

Display information about one or
all certificate attribute groups.

display pki certificate attribute-group
{ group-name | all } [ | { begin | exclude |

include } regular-expression ]

Available in any view.

Display information about one or
all certificate attribute-based

access control policies.

display pki certificate access-control-policy
{ policy-name | all } [ | { begin | exclude |

include } regular-expression ]

Available in any view.

PKI configuration examples

The SCEP add-on is required when you use the Windows Server as the CA. In this case, when you

configure the PKI domain, you must use the certificate request from ra command to specify that the entity
requests a certificate from an RA.
The SCEP add-on is not required when RSA Keon is used. In this case, when configuring a PKI domain,

you need to use the certificate request from ca command to specify that the entity requests a certificate

from a CA.

Certificate request from an RSA Keon CA server

1.

Network requirements

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: