Table of Contents
Advertisement
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] root-certificate fingerprint sha1
D1526110AAD7527FB093ED7FC037B0B3CDDDAD93
Related commands
certificate request mode
pki import
pki retrieve-certificate
rule
Use rule to create an access control rule.
Use undo rule to remove an access control rule.
Syntax
rule [ id ] { deny | permit } group-name
undo rule id
Default
No access control rules exist.
Views
Certificate-based access control policy view
Predefined user roles
network-admin
mdc-admin
Parameters
id: Assigns an ID to the access control rule, in the range of 1 to 16. The default setting is the smallest
unused ID in this range.
deny: Denies the certificates that match the associated attribute group.
permit: Permits the certificates that match the associated attribute group.
group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31
characters.
Usage guidelines
When you create an access control rule, you can associate it with a nonexistent certificate attribute
group.
The system determines that a certificate matches an access control rule when either of the following
conditions exists:
•
The associated certificate attribute group does not exist.
•
The associated certificate attribute group does not contain any attribute rules.
•
The certificate matches all attribute rules in the associated certificate attribute group.
You can configure multiple access control rules for an access control policy. A certificate matches the
rules one by one, starting with the rule with the smallest ID. When a match is found, the match
process stops, and the system performs the access control action defined in the access control rule.
436
Advertisement
Table of Contents
