Certificate Import And Export Configuration Example - HP MSR Series Configuration Manual

4. Configure certificate attribute groups:
# Create a certificate attribute group named mygroup1 and add two attribute rules. The first
rule defines that the DN in the subject DN contains the string of aabbcc. The second rule
defines that the IP address of the certificate issuer is 10.0.0.1.
[Device] pki certificate attribute-group mygroup1
[Device-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc
[Device-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1
[Device-pki-cert-attribute-group-mygroup1] quit
# Create a certificate attribute group named mygroup2 and add two attribute rules. The first
rule defines that the FQDN in the alternative subject name does not contain the string of apple.
The second rule defines that the DN of the certificate issuer name contains the string of
aabbcc.
[Device] pki certificate attribute-group mygroup2
[Device-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn
apple
[Device-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc
[Device-pki-cert-attribute-group-mygroup2] quit
5. Configure a certificate-based access control policy:
# Create a certificate-based access control policy named myacp.
[Device] pki certificate access-control-policy myacp
# Define a statement to deny the certificates that match the attribute rules in the certificate
attribute group mygroup1.
[Device-pki-cert-acp-myacp] rule 1 deny mygroup1
# Define a statement to permit the certificates that match the attribute rules in the certificate
attribute group mygroup2.
[Device-pki-cert-acp-myacp] rule 2 permit mygroup2
[Device-pki-cert-acp-myacp] quit
Verifying the configuration
# On the host, access the HTTPS server through a Web browser.
The server first verifies the validity of the host's certificate according to the configured
certificate-based access control policy. In the host's certificate, the subject DN is aabbcc, the IP
address of the certificate issuer is 1.1.1.1, and the FQDN of the alternative subject name is banaba.
The host's certificate does not match the certificate attribute group mygroup1 specified in rule 1 of
the certificate-based access control policy. The certificate continues to match against rule 2.
The host's certificate matches the certificate attribute group mygroup2 specified in rule 2. Because
rule 2 is a permit statement, the certificate passes the verification and the host can access the
HTTPS server.

Certificate import and export configuration example

Network requirements
As shown in
exportdomain on Device A has two local certificates containing the private key and one CA
certificate. To make sure the certificates are still valid after Device B replaces Device A, copy the
certificates on Device A to Device B as follows:
1. Export the certificates in PKI domain exportdomain on Device A to .pem certificate files.
During the export, encrypt the private key in the local certificates using 3DES_CBC with the
password 11111.
2. Transfer the certificate files from Device A to Device B through the FTP host.
Figure 95, Device B will replace Device A in the network. The PKI domain
275