Removing A Certificate; Configuring A Certificate Access Control Policy - HP MSR2000 Configuration Manual
Hide thumbs
Also See for MSR2000:
- Configuration manual (455 pages) ,
- Manual (73 pages) ,
- High availability configuration manual (91 pages)
Table of Contents
Advertisement
Removing a certificate
CAUTION:
When you remove the CA certificate in a domain, the system also removes the local certificates, peer
certificates, and CRLs in the same PKI domain.
Each certificate issued by a CA has a validity period. If the certificate is about to expire or your private
key is compromised, do the following tasks:
1.
Remove the local certificate.
2.
Use public-key local destroy to destroy the existing local key pair.
3.
Use public-key local create to generate a new key pair.
4.
Request a new certificate.
To remove a certificate:
Step
1.
Enter system view.
2.
Remove a certificate.
Configuring a certificate access control policy
You can configure a certificate access control policy on a server to control user access, securing the
server. For example, in an HTTPS application, you can configure a certificate access control policy on an
HTTPS server to verify the validity of client certificates.
A certificate access control policy is a set of certificate access control rules (permit or deny statements),
each associating with a certificate attribute group. A certificate attribute group contains multiple attribute
rules, each defining a matching criterion for the issuer name, subject name, or alternative subject names
of the certificate. A certificate matches a statement if it matches all attribute rules in the certificate
attribute group that associates with the statement.
A certificate matches the statements in a policy by sequence number in ascending order. When a match
is found, the match process stops, and access control is performed based on the certificate verification
result.
The following describes how a certificate access control policy verifies the validity of a certificate:
•
If a certificate matches a permit statement, the certificate passes the verification.
If a certificate matches a deny statement or does not match any statements in the policy, the
•
certificate is regarded invalid.
If a statement associates with a non-existing attribute group, or the attribute group is configured
•
without any attribute rules, the certificate matches the statement.
If the certificate access control policy referenced by a security application (for example, HTTPS)
•
does not exist, all certificates in the application pass the verification.
Command
system-view
pki delete-certificate domain domain-name { ca |
local | peer [ serial serial-num ] }
112
Remarks
N/A
If no serial number is
specified, the command
removes all peer
certificates.
Advertisement
Table of Contents
Troubleshooting
