Operation Manual – PKIH3C S5500-EI Series Ethernet Switches Chapter 1 PKI Configuration1-141.10 Configuring an Access Control PolicyBy configuring a certificate attribute-based access control policy, you can further controlaccess to the server, providing additional security for the server.Follow these steps to configure a certificate attribute-based access control policy:To do… Use the command… RemarksEnter system view system-view —Create a certificateattribute group and enterits viewpki certificateattribute-groupgroup-nameRequiredNo certificate attributegroup exists by default.Configure an attribute rulefor the certificate issuername, certificate subjectname, or alternativesubject nameattribute id{ alt-subject-name { fqdn| ip } | { issuer-name |subject-name } { dn |fqdn | ip } } { ctn | equ |nctn | nequ}attribute-valueOptionalThere is no restriction onthe issuer name,certificate subject nameand alternative subjectname by default.Return to system view quit —Create a certificateattribute-based accesscontrol policy and enter itsviewpki certificateaccess-control-policypolicy-nameRequiredNo access control policyexists by default.Configure a certificateattribute-based accesscontrol rulerule [ id ] { deny | permit }group-nameRequiredNo access control ruleexists by default.Caution:A certificate attribute group must exist to be associated with a rule.1.11 Displaying and Maintaining PKITo do… Use the command… RemarksDisplay the contents orrequest status of acertificatedisplay pki certificate { { ca | local }domain domain-name |request-status }Available inany viewDisplay CRLs display pki crl domaindomain-nameAvailable inany view