-
-
-
-
-
-
-
-
ssl-certKey
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
ssl-certKey
The following operations can be performed on “ssl-certKey”:
show | bind | unlink | update | add | unbind | link | unset | clear | rm | set |
show ssl certKey
Displays information about all the certificate-key pairs configured on the appliance, or displays detailed information about the specified certificate-key pair.
Synopsis
show ssl certKey [
Arguments
certkeyName Name of the certificate-key pair for which to show detailed information.
Output
cert The name and location of the file containing the certificate.
key The name and location of the file containing the key.
inform The encoding format of the certificate and key (PEM,DER or PFX).
signatureAlg Signature algorithm.
CertificateType Specifies whether the certificate is of type root-CA, intermediate-CA, server, client, or client and server
serial Serial number.
issuer Issuer name.
clientCertNotBefore Not-Before date.
clientCertNotAfter Not-After date.
daysToExpiration Days remaining for the certificate to expire.
subject Subject name.
publickey Public key algorithm.
publickeysize Size of the public key.
version Version.
priority ocsp priority
status Status of the certificate.
fipsKey FIPS key ID.
hsmKey External HSM key ID.
passcrypt Passcrypt.
passplain Passplain.
data Vserver Id
serverName Vserver name to which the certificate key pair is bound.
serviceName Service name to which the certificate key pair is bound.
ocspResponder OCSP responders bound to this certkey
sslProfile SSL profile name to which the certificate key pair is bound.
expiryMonitor Certificate expiry monitor
notificationPeriod Certificate expiry notification period
linkCertKeyName The name of the Certificate-Authority.
stateflag sandns Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called “Subject Alternative Names” (SAN). This field is for DNS names
sanipadd Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. These values are called “Subject Alternative Names” (SAN). This field is for IP address
ocspResponseStatus Ocsp response status of the certificate.
ocspBindReferences Number of references to ocspresponder by this certkey
gslbServiceFlag Indicates that this is a gslb service
builtin Flag to determine if Cert key is built-in or not
feature The feature to be checked while applying this config
CertKeyDigest Stores the added md5sum of certificate and key files
devno count
Example
1) An example of the output of the show ssl certkey command is shown below: 2 configured certkeys: 1)Name: siteAcertkey Cert Path: /nsconfig/ssl/siteA-cert.pem Key Path: /nsconfig/ssl/siteA-key.pem Format: PEM Status: Valid 2)Name: cert1 Cert Path: /nsconfig/ssl/server_cert.pem Key Path: /nsconfig/ssl/server_key.pem Format: PEM Status: Valid
2) An example of the output of the show ssl certkey siteAcertkey command is shown below: Name: siteAcertkeyStatus: Valid Version: 3 Serial Number: 02 Signature Algorithm: md5WithRSAEncryption Issuer: /C=US/ST=CA/L=Santa Clara/O=siteA/OU=Tech Validity Not Before: Nov 11 14:58:18 2001 GMT Not After: Aug 7 14:58:18 2004 GMT Subject: /C=US/ST-CA/L=San Jose/O=CA/OU=Security Public Key Algorithm: rsaEncryption Public Key size: 1024
bind ssl certKey
Binds a certificate-key pair to an SSL virtual server or an SSL service.
Synopsis
bind ssl certKey [
Arguments
certkeyName Name of the certificate-key pair.
ocspResponder Name of the OCSP responder to be associated with the CA certificate.
priority Priority of the OCSP responder binding. Minimum value: 1
Example
1)bind ssl certkey cacert -ocspResponder ocsp_ca -priority 1 In the above example, the CA certificate cacert is bound with the OCSP responder ocsp_ca with priority 1, which is highest.
Related Commands
unlink ssl certKey
Unlinks the certificate-key pair from its Certificate-Authority (CA) certificate-key pair.
Synopsis
unlink ssl certKey
Arguments
certkeyName Name of the certificate-key pair to unlink.
Example
1)unlink ssl certkey siteAcertkey The above example unlinks the certificate ‘siteAcertkey’ from its Certificate-Authority (CA) certificate.
Related Commands
update ssl certKey
Updates the certificate or private key in a certificate-key pair. In a high availability configuration, the path to the certificate and the optional private key must be the same on the primary and secondary nodes.
Synopsis
update ssl certKey
Arguments
certkeyName Name of the certificate-key pair to update.
cert Name of and, optionally, path to the X509 certificate file that is used to form the certificate-key pair. The certificate file should be present on the appliance’s hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.
key Name of and, optionally, path to the private-key file that is used to form the certificate-key pair. The certificate file should be present on the appliance’s hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.
password Passphrase that was used to encrypt the private-key. Use this option to load encrypted private-keys in PEM format.
fipsKey Name of the FIPS key that was created inside the Hardware Security Module (HSM) of a FIPS appliance, or a key that was imported into the HSM.
inform Input format of the certificate and the private-key files. The three formats supported by the appliance are: PEM - Privacy Enhanced Mail DER - Distinguished Encoding Rule PFX - Personal Information Exchange
Possible values: DER, PEM, PFX Default value: PEM
passplain Pass phrase used to encrypt the private-key. Required when adding an encrypted private-key in PEM format.
noDomainCheck Override the check for matching domain names during a certificate update operation.
Example
1) update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem The above command updates a certificate and private key file. 2) update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem -password Password: ```` The above command updates a certificate and private key file. Here the private key file is an encrypted key. 3) update ssl certkey mydomaincert The above command updates the certificate using the same parameters (-cert path/-key path) that it was added with.
Related Commands
add ssl certKey
Adds a certificate-key pair to memory. After it is bound to a virtual server or service, it is used for processing SSL transactions. In a high-availability configuration, the path to the certificate and the optional private key must be the same on the primary and the secondary appliance. For a server certificate, a private key is required.
Synopsis
add ssl certKey
Arguments
certkeyName Name for the certificate and private-key pair. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the certificate-key pair is created.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my cert” or ‘my cert’).
cert Name of and, optionally, path to the X509 certificate file that is used to form the certificate-key pair. The certificate file should be present on the appliance’s hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.
key Name of and, optionally, path to the private-key file that is used to form the certificate-key pair. The certificate file should be present on the appliance’s hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.
password Passphrase that was used to encrypt the private-key. Use this option to load encrypted private-keys in PEM format.
fipsKey Name of the FIPS key that was created inside the Hardware Security Module (HSM) of a FIPS appliance, or a key that was imported into the HSM.
hsmKey Name of the HSM key that was created in the External Hardware Security Module (HSM) of a FIPS appliance.
inform Input format of the certificate and the private-key files. The three formats supported by the appliance are: PEM - Privacy Enhanced Mail DER - Distinguished Encoding Rule PFX - Personal Information Exchange
Possible values: DER, PEM, PFX Default value: PEM
passplain Pass phrase used to encrypt the private-key. Required when adding an encrypted private-key in PEM format.
expiryMonitor Issue an alert when the certificate is about to expire.
Possible values: ENABLED, DISABLED
notificationPeriod Time, in number of days, before certificate expiration, at which to generate an alert that the certificate is about to expire. Minimum value: 10 Maximum value: 100
bundle Parse the certificate chain as a single file after linking the server certificate to its issuer’s certificate within the file.
Possible values: YES, NO Default value: NO
Example
1)add ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem The above command loads a certificate and private key file. 2)add ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem -password Password: ```` The above command loads a certificate and private key file. Here the private key file is an encrypted key. 3)add ssl certkey fipscert -cert /nsconfig/ssl/cert.pem -fipskey fips1024 The above command loads a certificate and associates it with the corresponding FIPS key that resides within the HSM. 4)add ssl certkey externalhsmcert -cert /nsconfig/ssl/hsmcert.pem -hsmkey key_simple_rsa1 The above command loads a certificate and associates it with the corresponding HSM key that resides within the External HSM.
unbind ssl certKey
Unbinds the specified certificate-key pair from the SSL virtual server or service.
Synopsis
unbind ssl certKey
Arguments
certkeyName Name of the certificate-key pair to unbind.
ocspResponder Name of the OCSP responder.
Example
1)unbind ssl certkey sslvip siteAcertkey In the above example, the server certificate siteAcertkey is unbound from the SSL virtual server. 2)unbind ssl certkey sslvip CAcertkey -CA In the above example, the CA certificate CAcertkey is unbound from the SSL virtual server.
Related Commands
link ssl certKey
Links a certificate-key pair to its Certificate Authority (CA) certificate-key pair.
Synopsis
link ssl certKey
Arguments
certkeyName Name of the certificate-key pair to link to its issuer’s certificate-key pair in the chain.
linkCertKeyName Name of the Certificate Authority certificate-key pair to which to link a certificate-key pair.
Example
1)link ssl certkey siteAcertkey CAcertkey In the above example, the certificate-key siteAcertkey is bound to its issuer certificate-key pair CAcertkey.
Related Commands
unset ssl certKey
Use this command to remove ssl certKey settings.Refer to the set ssl certKey command for meanings of the arguments.
Synopsis
unset ssl certKey
clear ssl certKey
Clear cached ocspStapling response in certkey.
Synopsis
clear ssl certKey
Arguments
certkeyName Name for the certificate and private-key pair. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the certificate-key pair is created.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my cert” or ‘my cert’).
ocspstaplingCache Clear cached ocspStapling response in certkey.
rm ssl certKey
Removes all the certificate-key pairs, or the specified certificate-key pair, from the appliance. The certificate-key pair is removed only if it is not referenced by any other object. The reference count is updated when the certificate-key pair is bound to an SSL virtual server or linked to another certificate-key pair.
Synopsis
rm ssl certKey
Arguments
certkeyName Name of the certificate-key pair to remove.
deletefromdevice Delete cert/key file from file system.
Example
1)rm ssl certkey siteAcertkey The above command removes the certificate-key pair siteAcertkey from the system. 2) rm certkey siteAcertkey -deletefromdevice The above command removes the certificate-key pair siteAcertkey from the system along with it’s cert and key file form file system.
set ssl certKey
Modifies the specified attributes of a certificate-key pair.
Synopsis
set ssl certKey
Arguments
certkeyName Name of the certificate-key pair to modify.
expiryMonitor Issue an alert when the certificate is about to expire.
Possible values: ENABLED, DISABLED
notificationPeriod Time, in number of days, before certificate expiration, at which to generate an alert that the certificate is about to expire. Minimum value: 10 Maximum value: 100
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.