ADC CLI Commands

ssl-certKey

The following operations can be performed on “ssl-certKey”:

show bind unlink update add unbind link unset clear rm set

show ssl certKey

Displays information about all the certificate-key pairs configured on the appliance, or displays detailed information about the specified certificate-key pair.

Synopsis

show ssl certKey []

Arguments

certkeyName Name of the certificate-key pair for which to show detailed information.

Output

cert The name and location of the file containing the certificate.

key The name and location of the file containing the key.

inform The encoding format of the certificate and key (PEM,DER or PFX).

signatureAlg Signature algorithm.

CertificateType Specifies whether the certificate is of type root-CA, intermediate-CA, server, client, or client and server

serial Serial number.

issuer Issuer name.

clientCertNotBefore Not-Before date.

clientCertNotAfter Not-After date.

daysToExpiration Days remaining for the certificate to expire.

subject Subject name.

publickey Public key algorithm.

publickeysize Size of the public key.

version Version.

priority ocsp priority

status Status of the certificate.

fipsKey FIPS key ID.

hsmKey External HSM key ID.

passcrypt Passcrypt.

passplain Passplain.

data Vserver Id

serverName Vserver name to which the certificate key pair is bound.

serviceName Service name to which the certificate key pair is bound.

ocspResponder OCSP responders bound to this certkey

sslProfile SSL profile name to which the certificate key pair is bound.

expiryMonitor Certificate expiry monitor

notificationPeriod Certificate expiry notification period

linkCertKeyName The name of the Certificate-Authority.

stateflag sandns Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called “Subject Alternative Names” (SAN). This field is for DNS names

sanipadd Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called “Subject Alternative Names” (SAN). This field is for IP address

ocspResponseStatus Ocsp response status of the certificate.

ocspBindReferences Number of references to ocspresponder by this certkey

gslbServiceFlag Indicates that this is a gslb service

builtin Flag to determine if Cert key is built-in or not

feature The feature to be checked while applying this config

CertKeyDigest Stores the added md5sum of certificate and key files

devno count

Example

1) An example of the output of the show ssl certkey command is shown below: 2 configured certkeys: 1)Name: siteAcertkey Cert Path: /nsconfig/ssl/siteA-cert.pem Key Path: /nsconfig/ssl/siteA-key.pem Format: PEM Status: Valid 2)Name: cert1 Cert Path: /nsconfig/ssl/server_cert.pem Key Path: /nsconfig/ssl/server_key.pem Format: PEM Status: Valid

2) An example of the output of the show ssl certkey siteAcertkey command is shown below: Name: siteAcertkeyStatus: Valid Version: 3 Serial Number: 02 Signature Algorithm: md5WithRSAEncryption Issuer: /C=US/ST=CA/L=Santa Clara/O=siteA/OU=Tech Validity Not Before: Nov 11 14:58:18 2001 GMT Not After: Aug 7 14:58:18 2004 GMT Subject: /C=US/ST-CA/L=San Jose/O=CA/OU=Security Public Key Algorithm: rsaEncryption Public Key size: 1024

bind ssl certKey

Binds a certificate-key pair to an SSL virtual server or an SSL service.

Synopsis

bind ssl certKey [] [-ocspResponder ] [-priority ]

Arguments

certkeyName Name of the certificate-key pair.

ocspResponder Name of the OCSP responder to be associated with the CA certificate.

priority Priority of the OCSP responder binding. Minimum value: 1

Example

1)bind ssl certkey cacert -ocspResponder ocsp_ca -priority 1 In the above example, the CA certificate cacert is bound with the OCSP responder ocsp_ca with priority 1, which is highest.

Unlinks the certificate-key pair from its Certificate-Authority (CA) certificate-key pair.

Synopsis

unlink ssl certKey

Arguments

certkeyName Name of the certificate-key pair to unlink.

Example

1)unlink ssl certkey siteAcertkey The above example unlinks the certificate ‘siteAcertkey’ from its Certificate-Authority (CA) certificate.

update ssl certKey

Updates the certificate or private key in a certificate-key pair. In a high availability configuration, the path to the certificate and the optional private key must be the same on the primary and secondary nodes.

Synopsis

update ssl certKey \[-cert \[-password]] \[-key | -fipsKey ] \[-inform ] \[-noDomainCheck]

Arguments

certkeyName Name of the certificate-key pair to update.

cert Name of and, optionally, path to the X509 certificate file that is used to form the certificate-key pair. The certificate file should be present on the appliance’s hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.

key Name of and, optionally, path to the private-key file that is used to form the certificate-key pair. The certificate file should be present on the appliance’s hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.

password Passphrase that was used to encrypt the private-key. Use this option to load encrypted private-keys in PEM format.

fipsKey Name of the FIPS key that was created inside the Hardware Security Module (HSM) of a FIPS appliance, or a key that was imported into the HSM.

inform Input format of the certificate and the private-key files. The three formats supported by the appliance are: PEM - Privacy Enhanced Mail DER - Distinguished Encoding Rule PFX - Personal Information Exchange

Possible values: DER, PEM, PFX Default value: PEM

passplain Pass phrase used to encrypt the private-key. Required when adding an encrypted private-key in PEM format.

noDomainCheck Override the check for matching domain names during a certificate update operation.

Example

1) update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem The above command updates a certificate and private key file. 2) update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem -password Password: ```` The above command updates a certificate and private key file. Here the private key file is an encrypted key. 3) update ssl certkey mydomaincert The above command updates the certificate using the same parameters (-cert path/-key path) that it was added with.

add ssl certKey

Adds a certificate-key pair to memory. After it is bound to a virtual server or service, it is used for processing SSL transactions. In a high-availability configuration, the path to the certificate and the optional private key must be the same on the primary and the secondary appliance. For a server certificate, a private key is required.

Synopsis

add ssl certKey (-cert [-password]) [-key | -fipsKey | -hsmKey ] [-inform ] [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod ]] [-bundle ( YES | NO )]

Arguments

certkeyName Name for the certificate and private-key pair. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the certificate-key pair is created.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my cert” or ‘my cert’).

cert Name of and, optionally, path to the X509 certificate file that is used to form the certificate-key pair. The certificate file should be present on the appliance’s hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.

key Name of and, optionally, path to the private-key file that is used to form the certificate-key pair. The certificate file should be present on the appliance’s hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.

password Passphrase that was used to encrypt the private-key. Use this option to load encrypted private-keys in PEM format.

fipsKey Name of the FIPS key that was created inside the Hardware Security Module (HSM) of a FIPS appliance, or a key that was imported into the HSM.

hsmKey Name of the HSM key that was created in the External Hardware Security Module (HSM) of a FIPS appliance.

inform Input format of the certificate and the private-key files. The three formats supported by the appliance are: PEM - Privacy Enhanced Mail DER - Distinguished Encoding Rule PFX - Personal Information Exchange

Possible values: DER, PEM, PFX Default value: PEM

passplain Pass phrase used to encrypt the private-key. Required when adding an encrypted private-key in PEM format.

expiryMonitor Issue an alert when the certificate is about to expire.

Possible values: ENABLED, DISABLED

notificationPeriod Time, in number of days, before certificate expiration, at which to generate an alert that the certificate is about to expire. Minimum value: 10 Maximum value: 100

bundle Parse the certificate chain as a single file after linking the server certificate to its issuer’s certificate within the file.

Possible values: YES, NO Default value: NO

Example

1)add ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem The above command loads a certificate and private key file. 2)add ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem -password Password: ```` The above command loads a certificate and private key file. Here the private key file is an encrypted key. 3)add ssl certkey fipscert -cert /nsconfig/ssl/cert.pem -fipskey fips1024 The above command loads a certificate and associates it with the corresponding FIPS key that resides within the HSM. 4)add ssl certkey externalhsmcert -cert /nsconfig/ssl/hsmcert.pem -hsmkey key_simple_rsa1 The above command loads a certificate and associates it with the corresponding HSM key that resides within the External HSM.

unbind ssl certKey

Unbinds the specified certificate-key pair from the SSL virtual server or service.

Synopsis

unbind ssl certKey -ocspResponder

Arguments

certkeyName Name of the certificate-key pair to unbind.

ocspResponder Name of the OCSP responder.

Example

1)unbind ssl certkey sslvip siteAcertkey In the above example, the server certificate siteAcertkey is unbound from the SSL virtual server. 2)unbind ssl certkey sslvip CAcertkey -CA In the above example, the CA certificate CAcertkey is unbound from the SSL virtual server.

Links a certificate-key pair to its Certificate Authority (CA) certificate-key pair.

Synopsis

link ssl certKey

Arguments

certkeyName Name of the certificate-key pair to link to its issuer’s certificate-key pair in the chain.

linkCertKeyName Name of the Certificate Authority certificate-key pair to which to link a certificate-key pair.

Example

1)link ssl certkey siteAcertkey CAcertkey In the above example, the certificate-key siteAcertkey is bound to its issuer certificate-key pair CAcertkey.

unset ssl certKey

Use this command to remove ssl certKey settings.Refer to the set ssl certKey command for meanings of the arguments.

Synopsis

unset ssl certKey [-expiryMonitor] [-notificationPeriod]

clear ssl certKey

Clear cached ocspStapling response in certkey.

Synopsis

clear ssl certKey -ocspstaplingCache

Arguments

certkeyName Name for the certificate and private-key pair. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the certificate-key pair is created.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my cert” or ‘my cert’).

ocspstaplingCache Clear cached ocspStapling response in certkey.

rm ssl certKey

Removes all the certificate-key pairs, or the specified certificate-key pair, from the appliance. The certificate-key pair is removed only if it is not referenced by any other object. The reference count is updated when the certificate-key pair is bound to an SSL virtual server or linked to another certificate-key pair.

Synopsis

rm ssl certKey ... [-deletefromdevice]

Arguments

certkeyName Name of the certificate-key pair to remove.

deletefromdevice Delete cert/key file from file system.

Example

1)rm ssl certkey siteAcertkey The above command removes the certificate-key pair siteAcertkey from the system. 2) rm certkey siteAcertkey -deletefromdevice The above command removes the certificate-key pair siteAcertkey from the system along with it’s cert and key file form file system.

set ssl certKey

Modifies the specified attributes of a certificate-key pair.

Synopsis

set ssl certKey \[-expiryMonitor \( ENABLED | DISABLED ) \[-notificationPeriod <positive\_integer>]]

Arguments

certkeyName Name of the certificate-key pair to modify.

expiryMonitor Issue an alert when the certificate is about to expire.

Possible values: ENABLED, DISABLED

notificationPeriod Time, in number of days, before certificate expiration, at which to generate an alert that the certificate is about to expire. Minimum value: 10 Maximum value: 100

ssl-certKey