Deleting a Certificate 1229n For details about the public-key local destroy rsa command, refer to “SSHConfiguration” on page 1107.Deleting a Certificate When a certificate requested manually is about to expire or you want to request anew certificate, you can delete the current local certificate or CA certificate.Follow these steps to delete a certificate:Configuring an AccessControl PolicyBy configuring a certificate attribute-based access control policy, you can furthercontrol access to the server, providing additional security for the server.Follow these steps to configure a certificate attribute-based access control policy:c CAUTION: A certificate attribute group must exist to be associated with a rule.Displaying andMaintaining PKIDestroy a local RSA key pair public-key local destroy rsa RequiredTo do… Use the command… RemarksTo do… Use the command… RemarksEnter system view system-view -Delete certificates pki delete-certificate { ca | local }domain domain-nameRequiredTo do… Use the command… RemarksEnter system view system-view -Create a certificate attributegroup and enter its viewpki certificateattribute-group group-nameRequiredNo certificate attribute groupexists by default.Configure an attribute rule forthe certificate issuer name,certificate subject name, oralternative subject nameattribute id{ alt-subject-name { fqdn |ip } | { issuer-name |subject-name } { dn | fqdn |ip } } { ctn | equ | nctn |nequ} attribute-valueOptionalThere is no restriction on theissuer name, certificatesubject name and alternativesubject name by default.Return to system view quit -Create a certificateattribute-based access controlpolicy and enter its viewpki certificateaccess-control-policypolicy-nameRequiredNo access control policy existsby default.Configure a certificateattribute-based access controlrulerule [ id ] { deny | permit }group-nameRequiredNo access control rule existsby default.To do… Use the command… RemarksDisplay the contents orrequest status of a certificatedisplay pki certificate { { ca | local }domain domain-name | request-status }Available in anyview