Skip to content
Was this article helpful?

ssl-caCertGroup

The following operations can be performed on "ssl-caCertGroup":

add| bind| rm| unbind| show|

add ssl caCertGroup

Creates a new CA certificate group.

Synopsis

add ssl caCertGroup <caCertGroupName>

Arguments

caCertGroupName

Name given to the CA certificate group. The name will be used to add the CA certificates to the group. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my file" or 'my file').

Example

add ssl cacertgroup [cacertgroup_name]

bind ssl caCertGroup

Binds the specified CA certificates to the group.

Synopsis

bind ssl caCertGroup <caCertGroupName> (<certkeyName> [-crlCheck ( Mandatory | Optional ) | -ocspCheck ( Mandatory | Optional )] )

Arguments

caCertGroupName

Name given to the CA certificate group. The name will be used to add the CA certificates to the group. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my file" or 'my file').

certkeyName

Name of the certificate-key pair.

crlCheck

Rule to use for the CRL corresponding to the CA certificate during client authentication. Available settings function as follows: * MANDATORY - Deny SSL clients if the CRL is missing or expired, or the Next Update date is in the past, or the CRL is incomplete. * OPTIONAL - Allow SSL clients if the CRL is missing or expired, or the Next Update date is in the past, or the CRL is incomplete, but deny if the client certificate is revoked in the CRL.

Possible values: Mandatory, Optional Default value: CRLCHECK_OPTIONAL

ocspCheck

Rule to use for the OCSP responder associated with the CA certificate during client authentication. If MANDATORY is specified, deny all SSL clients if the OCSP check fails because of connectivity issues with the remote OCSP server, or any other reason that prevents the OCSP check. With the OPTIONAL setting, allow SSL clients even if the OCSP check fails except when the client certificate is revoked.

Possible values: Mandatory, Optional

Example

bind ssl cacertgroup <cacertgroup_name> <cacertkey_name>

rm ssl caCertGroup

Deletes the specified CA certificate group.

Synopsis

rm ssl caCertGroup <caCertGroupName>

Arguments

caCertGroupName

Name given to the CA certificate group. The name will be used to add the CA certificates to the group. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my file" or 'my file').

Example

rm ssl cacertgroup <cacertgroup_name>

unbind ssl caCertGroup

Unbinds the specified CA certificates from the group.

Synopsis

unbind ssl caCertGroup <caCertGroupName> <certkeyName>

Arguments

caCertGroupName

Name given to the CA certificate group. The name will be used to add the CA certificates to the group. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my file" or 'my file').

certkeyName

Name of the certificate-key pair.

Example

unbind ssl cacertgroup <cacertgroup_name> <cacertkey_name>

show ssl caCertGroup

Lists information about either all CA certificate groups or the specified CA certificate group.

Synopsis

show ssl caCertGroup [<caCertGroupName>]

Arguments

caCertGroupName

Name of the CA certificate group for which to show detailed information.

Output

stateflag

caCertGroupReferences

Count for ssl actions referring to this ca certificate group.

certkeyName

Name for the certkey added to the Citrix ADC. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the certificate-key pair is created.The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my cert" or 'my cert').

ocspCheck

The state of the OCSP check parameter. (Mandatory/Optional)

crlCheck

The state of the CRL check parameter. (Mandatory/Optional)

devno

count

Example

1) show ssl cacertgroup <cacertgroup_name> 2) show ssl cacertgroup

Was this article helpful?