Configuring A Certificate Access Control Policy - HP 5920 Series Configuration Manual
Hide thumbs
Also See for 5920 Series:
- Command reference manual (607 pages) ,
- Configuration manual (322 pages) ,
- Fc and fcoe configuration manual (257 pages)
Table of Contents
Advertisement
You can remove the CA certificate, local certificate, or peer certificates in a PKI domain. After you
remove the CA certificate, the system automatically removes the local certificates, peer certificates, and
CRLs in the domain.
You can remove a local certificate and request a new one when the local certificate is about to expire or
the certificate's private key is compromised. To remove a local certificate and request a new certificate,
perform the following tasks:
1.
Remove the local certificate.
2.
Use public-key local destroy to destroy the existing local key pair.
3.
Use public-key local create to generate a new key pair.
4.
Request a new certificate.
To remove a certificate:
Step
1.
Enter system view.
2.
Remove a certificate.
Configuring a certificate access control policy
Certificate-based access control policies allow you to authorize access to a device (for example, an
HTTPS server) based on the attributes of an authenticated client's certificate.
A certificate-based access control policy is a set of access control rules (permit or deny statements), each
associated with a certificate attribute group. A certificate attribute group contains multiple attribute rules,
each defining a matching criterion for an attribute in the certificate issuer name, subject name, or
alternative subject name field.
If a certificate matches all attribute rules in a certificate attribute group associated with an access control
rule, the system determines that the certificate matches the access control rule. In this scenario, the match
process stops, and the system performs the access control action defined in the access control rule.
The following describes how a certificate access control policy verifies the validity of a certificate:
If a certificate matches a permit statement, the certificate passes the verification.
•
If a certificate matches a deny statement or does not match any statements in the policy, the
•
certificate is regarded invalid.
•
If a statement associates with a non-existing attribute group, or the attribute group is configured
without any attribute rules, the certificate matches the statement.
If the certificate access control policy referenced by a security application (for example, HTTPS)
•
does not exist, all certificates in the application pass the verification.
To configure a certificate access control policy:
Command
system-view
pki delete-certificate domain domain-name { ca |
local | peer [ serial serial-num ] }
198
Remarks
N/A
If you use the peer
keyword without
specifying a serial
number, the command
removes all peer
certificates.
- Quick Links:
- Configuration Guide
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
