ssl-certKey¶
The following operations can be performed on "ssl-certKey":
add| rm| set| unset| bind| unbind| link| unlink| show| update| clear|
add ssl certKey¶
Adds a certificate-key pair to memory. After it is bound to a virtual server or service, it is used for processing SSL transactions. In a high-availability configuration, the path to the certificate and the optional private key must be the same on the primary and the secondary appliance. For a server certificate, a private key is required.
Synopsis¶
add ssl certKey <certkeyName> (-cert <string> [-password]) [-key <string> | -fipsKey <string> | -hsmKey <string>] [-inform <inform>] [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod <positive_integer>]] [-bundle ( YES | NO )]
Arguments¶
certkeyName
Name for the certificate and private-key pair. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the certificate-key pair is created.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my cert" or 'my cert').
cert
Name of and, optionally, path to the X509 certificate file that is used to form the certificate-key pair. The certificate file should be present on the appliance's hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.
key
Name of and, optionally, path to the private-key file that is used to form the certificate-key pair. The certificate file should be present on the appliance's hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.
password
Passphrase that was used to encrypt the private-key. Use this option to load encrypted private-keys in PEM format.
fipsKey
Name of the FIPS key that was created inside the Hardware Security Module (HSM) of a FIPS appliance, or a key that was imported into the HSM.
hsmKey
Name of the HSM key that was created in the External Hardware Security Module (HSM) of a FIPS appliance.
inform
Input format of the certificate and the private-key files. The three formats supported by the appliance are: PEM - Privacy Enhanced Mail DER - Distinguished Encoding Rule PFX - Personal Information Exchange
Possible values: DER, PEM, PFX Default value: PEM
passplain
Pass phrase used to encrypt the private-key. Required when adding an encrypted private-key in PEM format.
expiryMonitor
Issue an alert when the certificate is about to expire.
Possible values: ENABLED, DISABLED
notificationPeriod
Time, in number of days, before certificate expiration, at which to generate an alert that the certificate is about to expire. Minimum value: 10 Maximum value: 100
bundle
Parse the certificate chain as a single file after linking the server certificate to its issuer's certificate within the file.
Possible values: YES, NO Default value: NO
Example¶
1)add ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem The above command loads a certificate and private key file. 2)add ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem -password Password: ** The above command loads a certificate and private key file. Here the private key file is an encrypted key. 3)add ssl certkey fipscert -cert /nsconfig/ssl/cert.pem -fipskey fips1024 The above command loads a certificate and associates it with the corresponding FIPS key that resides within the HSM. 4)add ssl certkey externalhsmcert -cert /nsconfig/ssl/hsmcert.pem -hsmkey key_simple_rsa1 The above command loads a certificate and associates it with the corresponding HSM key that resides within the External HSM.
rm ssl certKey¶
Removes all the certificate-key pairs, or the specified certificate-key pair, from the appliance. The certificate-key pair is removed only if it is not referenced by any other object. The reference count is updated when the certificate-key pair is bound to an SSL virtual server or linked to another certificate-key pair.
Synopsis¶
rm ssl certKey <certkeyName> ... [-deletefromdevice]
Arguments¶
certkeyName
Name of the certificate-key pair to remove.
deletefromdevice
Delete cert/key file from file system.
Example¶
1)rm ssl certkey siteAcertkey The above command removes the certificate-key pair siteAcertkey from the system. 2) rm certkey siteAcertkey -deletefromdevice The above command removes the certificate-key pair siteAcertkey from the system along with it's cert and key file form file system.
set ssl certKey¶
Modifies the specified attributes of a certificate-key pair.
Synopsis¶
set ssl certKey <certkeyName> [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod <positive_integer>]]
Arguments¶
certkeyName
Name of the certificate-key pair to modify.
expiryMonitor
Issue an alert when the certificate is about to expire.
Possible values: ENABLED, DISABLED
notificationPeriod
Time, in number of days, before certificate expiration, at which to generate an alert that the certificate is about to expire. Minimum value: 10 Maximum value: 100
unset ssl certKey¶
Use this command to remove ssl certKey settings.Refer to the set ssl certKey command for meanings of the arguments.
Synopsis¶
unset ssl certKey <certkeyName> [-expiryMonitor] [-notificationPeriod]
bind ssl certKey¶
Binds a certificate-key pair to an SSL virtual server or an SSL service.
Synopsis¶
bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>]
Arguments¶
certkeyName
Name of the certificate-key pair.
ocspResponder
Name of the OCSP responder to be associated with the CA certificate.
priority
Priority of the OCSP responder binding. Minimum value: 1
Example¶
1)bind ssl certkey cacert -ocspResponder ocsp_ca -priority 1 In the above example, the CA certificate cacert is bound with the OCSP responder ocsp_ca with priority 1, which is highest.
Related Commands¶
unbind ssl certKey¶
Unbinds the specified certificate-key pair from the SSL virtual server or service.
Synopsis¶
unbind ssl certKey <certkeyName> -ocspResponder <string>
Arguments¶
certkeyName
Name of the certificate-key pair to unbind.
ocspResponder
Name of the OCSP responder.
Example¶
1)unbind ssl certkey sslvip siteAcertkey In the above example, the server certificate siteAcertkey is unbound from the SSL virtual server. 2)unbind ssl certkey sslvip CAcertkey -CA In the above example, the CA certificate CAcertkey is unbound from the SSL virtual server.
Related Commands¶
link ssl certKey¶
Links a certificate-key pair to its Certificate Authority (CA) certificate-key pair.
Synopsis¶
link ssl certKey <certkeyName> <linkCertKeyName>
Arguments¶
certkeyName
Name of the certificate-key pair to link to its issuer's certificate-key pair in the chain.
linkCertKeyName
Name of the Certificate Authority certificate-key pair to which to link a certificate-key pair.
Example¶
1)link ssl certkey siteAcertkey CAcertkey In the above example, the certificate-key siteAcertkey is bound to its issuer certificate-key pair CAcertkey.
Related Commands¶
unlink ssl certKey¶
Unlinks the certificate-key pair from its Certificate-Authority (CA) certificate-key pair.
Synopsis¶
unlink ssl certKey <certkeyName>
Arguments¶
certkeyName
Name of the certificate-key pair to unlink.
Example¶
1)unlink ssl certkey siteAcertkey The above example unlinks the certificate 'siteAcertkey' from its Certificate-Authority (CA) certificate.
Related Commands¶
show ssl certKey¶
Displays information about all the certificate-key pairs configured on the appliance, or displays detailed information about the specified certificate-key pair.
Synopsis¶
show ssl certKey [<certkeyName>]
Arguments¶
certkeyName
Name of the certificate-key pair for which to show detailed information.
Output¶
cert
The name and location of the file containing the certificate.
key
The name and location of the file containing the key.
inform
The encoding format of the certificate and key (PEM,DER or PFX).
signatureAlg
Signature algorithm.
CertificateType
Specifies whether the certificate is of type root-CA, intermediate-CA, server, client, or client and server
serial
Serial number.
issuer
Issuer name.
clientCertNotBefore
Not-Before date.
clientCertNotAfter
Not-After date.
daysToExpiration
Days remaining for the certificate to expire.
subject
Subject name.
publickey
Public key algorithm.
publickeysize
Size of the public key.
version
Version.
priority
ocsp priority
status
Status of the certificate.
fipsKey
FIPS key ID.
hsmKey
External HSM key ID.
passcrypt
Passcrypt.
data
Vserver Id
serverName
Vserver name to which the certificate key pair is bound.
serviceName
Service name to which the certificate key pair is bound.
ocspResponder
OCSP responders bound to this certkey
sslProfile
SSL profile name to which the certificate key pair is bound.
expiryMonitor
Certificate expiry monitor
notificationPeriod
Certificate expiry notification period
linkCertKeyName
The name of the Certificate-Authority.
stateflag
ocspResponseStatus
Ocsp response status of the certificate.
ocspBindReferences
Number of references to ocspresponder by this certkey
gslbServiceFlag
Indicates that this is a gslb service
builtin
Flag to determine if Cert key is built-in or not
feature
The feature to be checked while applying this config
devno
count
Example¶
1) An example of the output of the show ssl certkey command is shown below: 2 configured certkeys: 1)Name: siteAcertkey Cert Path: /nsconfig/ssl/siteA-cert.pem Key Path: /nsconfig/ssl/siteA-key.pem Format: PEM Status: Valid 2)Name: cert1 Cert Path: /nsconfig/ssl/server_cert.pem Key Path: /nsconfig/ssl/server_key.pem Format: PEM Status: Valid
2) An example of the output of the show ssl certkey siteAcertkey command is shown below: Name: siteAcertkeyStatus: Valid Version: 3 Serial Number: 02 Signature Algorithm: md5WithRSAEncryption Issuer: /C=US/ST=CA/L=Santa Clara/O=siteA/OU=Tech Validity Not Before: Nov 11 14:58:18 2001 GMT Not After: Aug 7 14:58:18 2004 GMT Subject: /C=US/ST-CA/L=San Jose/O=CA/OU=Security Public Key Algorithm: rsaEncryption Public Key size: 1024
update ssl certKey¶
Updates the certificate or private key in a certificate-key pair. In a high availability configuration, the path to the certificate and the optional private key must be the same on the primary and secondary nodes.
Synopsis¶
update ssl certKey <certkeyName> [-cert <string> [-password]] [-key <string> | -fipsKey <string>] [-inform <inform>] [-noDomainCheck]
Arguments¶
certkeyName
Name of the certificate-key pair to update.
cert
Name of and, optionally, path to the X509 certificate file that is used to form the certificate-key pair. The certificate file should be present on the appliance's hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.
key
Name of and, optionally, path to the private-key file that is used to form the certificate-key pair. The certificate file should be present on the appliance's hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.
password
Passphrase that was used to encrypt the private-key. Use this option to load encrypted private-keys in PEM format.
fipsKey
Name of the FIPS key that was created inside the Hardware Security Module (HSM) of a FIPS appliance, or a key that was imported into the HSM.
inform
Input format of the certificate and the private-key files. The three formats supported by the appliance are: PEM - Privacy Enhanced Mail DER - Distinguished Encoding Rule PFX - Personal Information Exchange
Possible values: DER, PEM, PFX Default value: PEM
passplain
Pass phrase used to encrypt the private-key. Required when adding an encrypted private-key in PEM format.
noDomainCheck
Override the check for matching domain names during a certificate update operation.
Example¶
1) update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem The above command updates a certificate and private key file. 2) update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem -password Password: ** The above command updates a certificate and private key file. Here the private key file is an encrypted key. 3) update ssl certkey mydomaincert The above command updates the certificate using the same parameters (-cert path/-key path) that it was added with.
Related Commands¶
clear ssl certKey¶
Clear cached ocspStapling response in certkey.
Synopsis¶
clear ssl certKey <certkeyName> -ocspstaplingCache
Arguments¶
certkeyName
Name for the certificate and private-key pair. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the certificate-key pair is created.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my cert" or 'my cert').
ocspstaplingCache
Clear cached ocspStapling response in certkey.