1-12Configuring an Access Control PolicyBy configuring a certificate attribute-based access control policy, you can further control access to theserver, providing additional security for the server.Follow these steps to configure a certificate attribute-based access control policy:To do… Use the command… RemarksEnter system view system-view —Create a certificate attribute groupand enter its viewpki certificate attribute-groupgroup-nameRequiredNo certificate attribute group existsby default.Configure an attribute rule for thecertificate issuer name, certificatesubject name, or alternativesubject nameattribute id { alt-subject-name{ fqdn | ip } | { issuer-name |subject-name } { dn | fqdn | ip } }{ ctn | equ | nctn | nequ }attribute-valueOptionalThere is no restriction on the issuername, certificate subject name andalternative subject name bydefault.Return to system view quit —Create a certificate attribute-basedaccess control policy and enter itsviewpki certificateaccess-control-policypolicy-nameRequiredNo access control policy exists bydefault.Configure a certificateattribute-based access control rulerule [ id ] { deny | permit }group-nameRequiredNo access control rule exists bydefault.A certificate attribute group must exist to be associated with a rule.Displaying and Maintaining PKITo do… Use the command… RemarksDisplay the contents or requeststatus of a certificatedisplay pki certificate { { ca |local } domain domain-name |request-status }Available in any viewDisplay CRLs display pki crl domaindomain-name Available in any viewDisplay information about one or allcertificate attribute groupsdisplay pki certificateattribute-group { group-name |all }Available in any viewDisplay information about one or allcertificate attribute-based accesscontrol policiesdisplay pki certificateaccess-control-policy{ policy-name | all }Available in any view