pki whitelist-fuzzy-match enable
Function
The pki whitelist-fuzzy-match enable command enables fuzzy match for the PKI certificate whitelist.
The undo pki whitelist-fuzzy-match enable command restores exact match for the PKI certificate whitelist.
By default, the PKI certificate whitelist supports exact match.
The virtual system does not support this command.
Usage Guidelines
Usage Scenario
After PKI certificate whitelist check is enabled by using the pki validate-certificate whitelist enable command, the PKI certificate whitelist supports exact match by default. That is, the local device checks whether the CN in the certificate subject of the remote device carried in the received certificate authentication packet is exactly the same as that in the local certificate whitelist. If not, authentication fails.
In some scenarios, however, the CN in a certificate subject contains dots (.), such as 123.huawei.com, but that in the certificate whitelist does not, such as 123. In this case, the CN in the certificate subject of the remote device does not exactly match that in the local certificate whitelist, leading to an authentication failure. To prevent this problem, run the pki whitelist-fuzzy-match enable command to enable fuzzy match for the PKI certificate whitelist. After this function is enabled, the local device matches the content before the first dot in the received CN with that in the local certificate whitelist. If they match, authentication succeeds.
Precautions
PKI certificate whitelist check has been enabled by using the pki validate-certificate whitelist enable command. Otherwise, fuzzy match for the PKI certificate whitelist does not take effect.
Before enabling fuzzy match for the PKI certificate whitelist, ensure that the CN in the certificate whitelist does not contain dots. Otherwise, PKI certificate whitelist check fails.