10-21# Create certificate attribute group mygroup2 and add two attribute rules. The first rule defines thatthe FQDN of the alternative subject name does not include the string of apple, and the second ruledefines that the DN of the certificate issuer name includes the string aabbcc.[Switch] pki certificate attribute-group mygroup2[Switch-pki-cert-attribute-group-mygroup2] attribute 1 alt-subject-name fqdn nctn apple[Switch-pki-cert-attribute-group-mygroup2] attribute 2 issuer-name dn ctn aabbcc[Switch-pki-cert-attribute-group-mygroup2] quit3) Configure the certificate attribute-based access control policy# Create the certificate attribute-based access control policy of myacp and add two access controlrules.[Switch] pki certificate access-control-policy myacp[Switch-pki-cert-acp-myacp] rule 1 deny mygroup1[Switch-pki-cert-acp-myacp] rule 2 permit mygroup2[Switch-pki-cert-acp-myacp] quit4) Apply the SSL server policy and certificate attribute-based access control policy to HTTPS serviceand enable HTTPS service.# Apply SSL server policy myssl to HTTPS service.[Switch] ip https ssl-server-policy myssl# Apply the certificate attribute-based access control policy of myacp to HTTPS service.[Switch] ip https certificate access-control-policy myacp# Enable HTTPS service.[Switch] ip https enableTroubleshooting PKIFailed to Retrieve a CA CertificateSymptomFailed to retrieve a CA certificate.AnalysisPossible reasons include these:z The network connection is not proper. For example, the network cable may be damaged or loose.z No trusted CA is specified.z The URL of the registration server for certificate request is not correct or not configured.z No authority is specified for certificate request.z The system clock of the device is not synchronized with that of the CA.Solutionz Make sure that the network connection is physically proper.z Check that the required commands are configured properly.z Use the ping command to check that the RA server is reachable.z Specify the authority for certificate request.z Synchronize the system clock of the device with that of the CA.