# Configure an SSL server policy myssl, specify PKI domain 1 for it, and enable the SSL server to
perform certificate-based authentication of the client.
[Device] ssl server-policy myssl
[Device-ssl-server-policy-myssl] pki-domain 1
[Device-ssl-server-policy-myssl] client-verify enable
# Configure certificate attribute group mygroup1, and configure the attribute rules, and specify that the
Distinguished Name (DN) in the issuer name includes new-ca.
[Device] pki certificate attribute-group mygroup1
[Device-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca
# Create certificate access control policy myacp and create a control rule, specifying that a certificate is
considered valid when it matches an attribute rule in certificate attribute group mygroup.
[Device] pki certificate access-control-policy myacp
[Device-pki-cert-acp-myacp] rule 1 permit mygroup1
# Associate the HTTPS service with the SSL server policy myssl.
[Device] ip https ssl-server-policy myssl
# Associate the HTTPS service with certificate attribute access control policy myacp, ensuring that only
HTTPS clients retrieving a certificate from new-ca can access the HTTPS server.
[Device] ip https certificate access-control-policy myacp
# Enable the HTTPS service.
[Device] ip https enable
# Create a local user usera, set the password to 123, and service type to telnet.
[Device] local-user usera
[Device-luser-usera] password simple 123
[Device-luser-usera] service-type telnet
Configure the HTTPS client Host
Open the IE on Host, type http://10.1.2.2/certsrv, and request a certificate for Host as prompted.
Verify the configuration
Open the IE explorer on Host, enter https://10.1.1.1, select new-ca as the certificate for Host, and then
you can log in to Device. On the login page, type username usera, and password 123, and then you can
enter the Web configuration page of Device to access and control it.
The URL of the HTTPS server starts with https://, and that of the HTTP server starts with http://.
For details of PKI commands, refer to PKI Commands in the Security Volume.
For details of the public-key local create rsa command, refer to Public Key Commands in the
For details of SSL commands, refer to SSL Commands in the Security Volume.