Destroying a local RSA key pair
A certificate has a lifetime, which is determined by the CA. When the private key leaks or the certificate
is about to expire, destroy the old RSA key pair and then create a pair to request a new certificate.
Follow these steps to destroy a local RSA key pair:
To do...
Enter system view
Destroy a local RSA key pair
NOTE:
For more information about the public-key local destroy command, see the
Reference
.
Deleting a certificate
When a certificate requested manually is about to expire or you want to request a new certificate, delete
the current local certificate or CA certificate.
Follow these steps to delete a certificate:
To do...
Enter system view
Delete certificates
Configuring an access control policy
A certificate attribute-based access control policy can further control access to the server, providing
additional security for the server.
Follow these steps to configure a certificate attribute-based access control policy:
To do...
Enter system view
Create a certificate attribute group
and enter its view
Configure an attribute rule for the
certificate issuer name, certificate
subject name, or alternative
subject name
Return to system view
Use the command...
system-view
public-key local destroy rsa
Use the command...
system-view
pki delete-certificate { ca | local }
domain domain-name
Use the command...
system-view
pki certificate attribute-group
group-name
attribute id { alt-subject-name
{ fqdn | ip } | { issuer-name |
subject-name } { dn | fqdn | ip } }
{ ctn | equ | nctn | nequ }
attribute-value
quit
230
Remarks
—
Required
Security Command
Remarks
—
Required
Remarks
—
Required
No certificate attribute group
exists by default.
Optional
No restriction is defined on the
issuer name, certificate subject
name and alternative subject
name by default.
—