(Optional) Configuring Certificate Filtering
Context
On the basis of certificate authentication, certificate filtering further ensures certificate security. Only the certificates matching the certificate access policy are accepted. This function improves access security between communicating devices.
If a certificate does not match any rule in the certificate access policy, the action in the default certificate access policy is taken. By default, the action in a certificate access policy is permit. That is, the certificate is allowed to pass verification. For example, you can configure certificate filtering for IPSec tunnel establishment. Only the certificate issued by the specified CA can be used to set up an IPSec tunnel.
- If a certificate attribute group contains multiple rules with the AND relationship, the action in the certificate access policy is taken when a certificate matches all rules.
- If a certificate access policy contains multiple rules with the OR relationship, the action in the certificate access policy is taken once a certificate matches one rule.
Procedure
- Run system-view
The system view is displayed.
- (Optional) Run pki certificate access-control-policy default { deny | permit }
The default certificate attribute access control policy is configured.
By default, the action in a certificate attribute access control policy is permit. That is, the certificate is allowed to pass verification.
- Run pki certificate attribute-groupgroup-name
A certificate attribute group is created and its view is displayed, or the view of an existing certificate attribute group is displayed.
By default, no certificate attribute group is created.
- Configure certificate attribute rules.
To specify the start and end time of the validity period for a certificate, run the attribute id validity from HH:MM:SS YYYY/MM/DD to HH:MM:SS YYYY/MM/DD command.
To specify the alternative subject name for a certificate with the specified FQDN, run the attribute id alt-subject-name fqdn { ctn | equ | nctn | nequ } attribute-value command.
To specify the alternative subject name for a certificate with the specified IP address, run the attribute id alt-subject-name ip { ctn | equ | nctn | nequ } ip-address command.
To specify the certificate issuer with the specified DN, run the attribute id issuer-name dn { ctn | equ | nctn | nequ } attribute-value command.
To specify the subject of the certificate with the specified DN, run the attribute id subject-name dn { ctn | equ | nctn | nequ } attribute-value command.
By default, the validity period, issuer, subject, or alternative subject of a certificate is not configured.
- Run quit
Return to the system view.
- Run pki certificate access-control-policy name policy-name
A certificate attribute access control policy is created and its view is displayed, or the view of an existing certificate attribute access control policy is displayed.
By default, no certificate attribute access control policy is created.
- Run ruleid { permit | deny } group-name
The certificate attribute control rule is configured.
By default, no certificate attribute control rule is configured.
- (Optional) Run descriptiondescription
The description is configured for a certificate attribute access control policy.
By default, no description is configured for a certificate attribute access control policy.
- (Optional) Change the sequence of rules in the certificate attribute access control policy.
Run quit
Return to the system view.
Run pki certificate access-control-policy [ policy-namepolicy-name ] rulemoverule-id1 { before | after } rule-id2
The sequence of rules in the certificate attribute access control policy is changed.
When you change the sequence of rules in the certificate attribute access control policy, the sequence of rule IDs is unchanged, but the rule contents are swapped. For example:
The certificate access policy a has the following rules:
pki certificate access-control-policy name a rule 5 permit test1 rule 20 permit test2
After the pki certificate access-control-policy policy-name a rule move 20 before 5 command is executed, the rules are changed:
pki certificate access-control-policy name a rule 5 permit test2 rule 20 permit test1