139Step Command Remarks1. Enter system view. system-view N/A2. Create a certificate attributegroup and enter its view.pki certificate attribute-groupgroup-nameBy default, no certificate attributegroup exists.3. (Optional.) Configure anattribute rule for issuer name,subject name, or alternativesubject name.attribute id { alt-subject-name{ fqdn | ip } | { issuer-name |subject-name } { dn | fqdn | ip } }{ ctn | equ | nctn | nequ}attribute-valueBy default, not attribute rule isconfigured.4. Return to system view. quit N/A5. Create a certificate accesscontrol policy and enter itsview.pki certificate access-control-policypolicy-nameBy default, no certificate accesscontrol policy exists.6. Create a certificate accesscontrol rule (or statement).rule [ id ] { deny | permit }group-nameBy default, no statement isconfigured, and all certificates canpass the verification.You can create multiple statementsfor a certificate access controlpolicy.Displaying and maintaining PKIExecute display commands in any view.Task CommandDisplay the contents of a certificate. display pki certificate domain domain-name { ca | local | peer[ serial serial-num ] }Display certificate request status. display pki certificate request-status [ domain domain-name ]Display locally stored CRLs. display pki crl domain domain-nameDisplay certificate attribute groupinformation. display pki certificate attribute-group [ group-name ]Display certificate access control policyinformation. display pki certificate access-control-policy [ policy-name ]PKI configuration examplesYou can use different software applications, such as Windows server, RSA Keon, and OpenCA, to act asthe CA server.If you use Windows server or OpenCA, install the SCEP add-on for Windows server or enable SCEP forOpenCA. In either case, when you configure a PKI domain, you must use the certificate request from racommand to specify the RA to accept certificate requests for PKI entity enrollment to an RA.