452• The subject name field and the issuer name field can contain a single DN, multiple FQDNs, andmultiple IP addresses.• The alternative subject name field can contain multiple FQDNs and IP addresses but zero DNs.An attribute rule is a combination of an attribute-value pair with an operation keyword, as listed inTable 57.Table 57 Combinations of attribute-value pairs and operation keywordsOperation DN FQDN/IPctn The DN contains the specifiedattribute value.Any FQDN or IP address contains the specified attributevalue.nctn The DN does not contain thespecified attribute value.None of the FQDNs or IP addresses contain the specifiedattribute value.equ The DN is the same as thespecified attribute value.Any FQDN or IP address is the same as the specifiedattribute value.nequ The DN is not the same as thespecified attribute value.None of the FQDNs or IP addresses are the same as thespecified attribute value.A certificate matches an attribute rule if it contains an attribute that matches the criterion defined inthe rule. For example, a certificate matches the attribute 1 subject-name dn ctn abc rule if it meetsthe following conditions:• The subject name field of the certificate contains the DN attribute.• The DN attribute value contains the abc string.A certificate matches an attribute group if it matches all attribute rules in the group.Examples# Create a certificate attribute group and enter its view. system-view[Sysname] pki certificate attribute-group mygroup# Specify an attribute rule to match certificates that contain the abc string in the subject DN.[Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc# Specify an attribute rule to match certificates that do not contain FQDN abc in the issuer namefield.[Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc# Specify an attribute rule to match certificates that do not contain IP address 10.0.0.1 in thealternative subject name field.[Sysname-pki-cert-attribute-group-mygroup] attribute 3 alt-subject-name ip nequ 10.0.0.1Related commandsdisplay pki certificate attribute-groupruleca identifierUse ca identifier to specify the trusted CA.Use undo ca identifier to restore the default.Syntaxca identifier nameundo ca identifier