Using Certificate Groups

These procedures describe how to create and work with certificate groups. The examples in these tasks use a list of U.S. sales offices (sales-list) as the certificate group and individual sales offices (such as sales-il for the Illinois office).

To Add Certificate Groups

After you have named certificate IDs in the rule, you can group them into logical groups so that you can use a group instead of single names in a rule.

Use the GROUP option to group named certificate IDS.

For example:

edit> add certificate sales-list GROUP {sales-co sales-il sales-tx sales-sca sales-nca} {} COMMENT "list of U.S. sales offices"

To Add a New Member to a Certificate Group

Use the add_member subcommand to add a new member to a certificate group.

For example:

edit> add_member certificate sales-list sales-wy

To Remove a Member From a Certificate Group

Use the del_member subcommand to remove a member from a certificate group.

For example:

edit> del_member certificate sales-list sales-wy

To Rename a Certificate or Certificate Group

To make troubleshooting easier, do not rename the certificates that were created when you installed SunScreen.

Use the renamerefernce subcommand to rename a certificate or certificate group.

For example:

edit> renamereference certificate sales-ny sales-northeast

When you rename a certificate group using this command, SunScreen checks for all instances in the certificate policy object for the old name and changes them to the new name. It does not rename references in other places, such as administrative rules and policy rules.

To Delete a Certificate or Certificate Group

To make troubleshooting easier, do not delete the certificates that were created when you installed a remotely administered SunScreen.

This command does not check for references to the certificate or certificate group that you are deleting.

Use the del subcommand to delete a certificate or certificate group.

For example:

edit> del certificate sales-la

To Check References to a Deleted Certificate

Use the refer subcommand to find the reference to a certificate and certificate group that you want to delete or have deleted.

For example:

edit> refer certificate sales-la

To Check References to a Deleted Certificate Group

Use the referlist subcommand to find the reference to a certificate and certificate group that you want to delete or have deleted, for example:

edit> referlist certificate sales-west

This displays a list of all the instances in the certificate database where the certificate group is used. You can remove it from the access entries in which it is used and edit any policy rule in which it is used to remove it.