pki certificate access-control-policy rule

Function

The pki certificate access-control-policy rule command arranges rules in a certificate access policy.

Format

pki certificate access-control-policy [ policy-name policy-name ] rule move rule-id1 { before | after } rule-id2

Parameters

Parameter	Description	Value
policy-name policy-name	Specifies the name of a certificate access policy.	The value must be an existing certificate access policy name.
move rule-id1 { before \| after } rule-id2	Changes the sequence of rule-id1 and rule-id2. before: moves rule-id1 before rule-id2. after: moves rule-id1 behind rule-id2.	The values must be existing certificate access policy numbers.

Parameter

Description

Value

policy-name policy-name

Specifies the name of a certificate access policy.

The value must be an existing certificate access policy name.

move rule-id1 { before | after } rule-id2

Changes the sequence of rule-id1 and rule-id2.

before: moves rule-id1 before rule-id2.
after: moves rule-id1 behind rule-id2.

The values must be existing certificate access policy numbers.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The rules in a certificate access policy may have an AND or OR relationship. In a policy containing the OR relationship, when a certificate matches a rule and the corresponding action is taken, the system does not match the certificate against other rules. In this situation, you can run this command to adjust rule sequence so that the rule you prefer can take effect first.

Prerequisites

A certificate access policy has been created using the pki certificate access-control-policy name command.
The certificate access control rules have been configured using the rule (certificate access policy view) command.

Precautions

When you change the sequence of some rules, the sequence of rule IDs is unchanged, but the rule contents are swapped. For example:

The certificate access policy a has the following rules:

pki certificate access-control-policy name a
 rule 5 permit test1
 rule 20 permit test2

After the pki certificate access-control-policy policy-name a rule move 20 before 5 command is executed, the rules are changed to:

pki certificate access-control-policy name a
 rule 5 permit test2
 rule 20 permit test1

Example

# In the certificate access policy a, move rule 20 before rule 5.

<sysname> system-view
[sysname] pki certificate attribute-group test1
[sysname-pki-attribute-test1] quit
[sysname] pki certificate attribute-group test2
[sysname-pki-attribute-test2] quit
[sysname] pki certificate access-control-policy name a
[sysname-pki-access-a] rule 5 permit test1
[sysname-pki-access-a] rule 20 permit test2
[sysname-pki-access-a] quit
[sysname] pki certificate access-control-policy policy-name a rule move 20 before 5