-
-
-
-
-
-
-
-
ssl-crl
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
ssl-crl
The following operations can be performed on “ssl-crl”:
create | show | add | unset | rm | set |
create ssl crl
Revokes a certificate, or list of certificates, or generates a CRL for the list of revoked certificates.
Synopsis
create ssl crl
Arguments
CAcertFile Name of and, optionally, path to the CA certificate file. /nsconfig/ssl/ is the default path. Maximum value: 63
CAkeyFile Name of and, optionally, path to the CA key file. /nsconfig/ssl/ is the default path Maximum value: 63
indexFile Name of and, optionally, path to the file containing the serial numbers of all the certificates that are revoked. Revoked certificates are appended to the file. /nsconfig/ssl/ is the default path Maximum value: 63
revoke Name of and, optionally, path to the certificate to be revoked. /nsconfig/ssl/ is the default path. Maximum value: 63
genCRL Name of and, optionally, path to the CRL file to be generated. The list of certificates that have been revoked is obtained from the index file. /nsconfig/ssl/ is the default path. Maximum value: 63
password Password for the CA key file. Maximum value: 31
Example
1)create crl /nsconfig/ssl/cacert.pem /nsconfig/ssl/cakey.pem /nsconfig/ssl/index.txt -gencrl /var/netscaler/ssl/crl.pem
show ssl crl
Displays information about all the CRLs configured on the appliance, or displays detailed information about the specified CRL.
Synopsis
show ssl crl [
Arguments
crlName Name of the CRL for which to show detailed information.
Output
crlPath The name and path to the file containing the CRL.
inform The encoding format of the CRL (PEM or DER).
CAcert The CA certificate that issued the CRL.
refresh The state of the auto refresh feature for the CRL.
scope Extent of the search operation on the LDAP server. Base: Exactly the same level as basedn One : One level below basedn.
server The IP address of the LDAP/HTTP server from which the CRLs are to be fetched.
port The port of the LDAP/HTTP server.
url URL of the CRL distribution point.
method The method for CRL refresh (LDAP or HTTP).
baseDN The baseDN to be used to fetch the CRL object from the LDAP server.
interval The CRL refresh interval.
day The day when the CRL is to be refreshed.
time The time when the CRL is to be refreshed.
bindDN The bindDN to be used to access the CRL object in the LDAP repository.
password The password to be is used to access the CRL object in the LDAP repository.
flags CRL status flag.
lastupdatetime Last CRL refresh time.
version CRL version.
signaturealgo Signature algorithm.
issuer Issuer name.
lastupdate Last update time.
nextupdate Next update time.
date Certificate Revocation date
number Certificate Serial number.
binary Mode of retrieval of CRL from LDAP server.
daysToExpiration Number of days remaining for the CRL to expire.
devno count stateflag
Example
1) An example output of the show ssl crl command is as follows: 1 configured CRL(s) 1 Name: ca_crl CRL Path: /var/netscaler/ssl/cr1.der Format: DER Cacert: ca_cert Refresh: DISABLED
2) An example of the output of the show ssl crl ca_crl command is as follows: Name: ca_crl Status: Valid, Days to expiration: 21 CRL Path: /var/netscaler/ssl/cr1.der Format: DERCAcert: ca_cert Refresh: DISABLED Version: 1 Signature Algorithm: md5WithRSAEncryption Issuer: /C=US/ST=CA/L=santa clara /O=CA/OU=security Last_update:Dec 21 09:47:16 2001 GMT Next_update:Jan 20 09:47:16 2002 GMT Revoked Certificates: Serial Number: 01 Revocation Date:Dec 21 09:47:02 2001 GMT Serial Number: 02 Revocation Date:Dec 21 09:47:02 2001 GMT
add ssl crl
Adds a Certificate Revocation List (CRL). A CRL identifies invalid certificates by serial number and issuer. In a high availability configuration, the CRL must be in the same location on the primary and secondary nodes.
Synopsis
add ssl crl
Arguments
crlName Name for the Certificate Revocation List (CRL). Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the CRL is created.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my crl” or ‘my crl’).
crlPath Path to the CRL file. /var/netscaler/ssl/ is the default path.
inform Input format of the CRL file. The two formats supported on the appliance are: PEM - Privacy Enhanced Mail. DER - Distinguished Encoding Rule.
Possible values: DER, PEM Default value: PEM
refresh Set CRL auto refresh.
Possible values: ENABLED, DISABLED
CAcert CA certificate that has issued the CRL. Required if CRL Auto Refresh is selected. Install the CA certificate on the appliance before adding the CRL.
method Method for CRL refresh. If LDAP is selected, specify the method, CA certificate, base DN, port, and LDAP server name. If HTTP is selected, specify the CA certificate, method, URL, and port. Cannot be changed after a CRL is added.
Possible values: HTTP, LDAP
server IP address of the LDAP server from which to fetch the CRLs.
url URL of the CRL distribution point.
port Port for the LDAP server. Minimum value: 1
baseDN Base distinguished name (DN), which is used in an LDAP search to search for a CRL. Citrix recommends searching for the Base DN instead of the Issuer Name from the CA certificate, because the Issuer Name field might not exactly match the LDAP directory structure’s DN.
scope Extent of the search operation on the LDAP server. Available settings function as follows: One - One level below Base DN. Base - Exactly the same level as Base DN.
Possible values: Base, One Default value: One
interval CRL refresh interval. Use the NONE setting to unset this parameter.
Possible values: MONTHLY, WEEKLY, DAILY, NOW, NONE
day Day on which to refresh the CRL, or, if the Interval parameter is not set, the number of days after which to refresh the CRL. If Interval is set to MONTHLY, specify the date. If Interval is set to WEEKLY, specify the day of the week (for example, Sun=0 and Sat=6). This parameter is not applicable if the Interval is set to DAILY. Minimum value: 0 Maximum value: 31
time Time, in hours (1-24) and minutes (1-60), at which to refresh the CRL.
bindDN Bind distinguished name (DN) to be used to access the CRL object in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.
password Password to access the CRL in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.
binary Set the LDAP-based CRL retrieval mode to binary.
Possible values: YES, NO Default value: NO
Example
1)add ssl certkey CAcert -cert /nsconfig/ssl/ca_cert.pem add ssl crl crl_file /var/netscaler/ssl/crl.pem -cacert CAcert The above command adds a CRL from local storage system (HDD) with no refresh set. 2)add ssl certkey CAcert -cert /nsconfig/ssl/ca_cert.pem add ssl crl crl_file /var/netscaler/ssl/crl_new.pem -cacert Cacert -refresh ENABLED -server 10.102.1.100 -port 389 -interval DAILY -baseDN o=example.com,ou=security,c=US The above command adds a CRL to the system by fetching the CRL from the LDAP server and setting the refresh interval as daily.
unset ssl crl
Use this command to remove ssl crl settings.Refer to the set ssl crl command for meanings of the arguments.
Synopsis
unset ssl crl
rm ssl crl
Removes the specified CRL from the appliance.
Synopsis
rm ssl crl
Arguments
crlName Name of the CRL to remove.
Example
1)rm ssl crl ca_crl The above CLI command to delete the CRL object ca_crl from the system is.
set ssl crl
Modifies all the parameters of a CRL, except the CRL name and method.
Synopsis
set ssl crl
Arguments
crlName Name of the CRL to be modified.
refresh Set CRL auto refresh.
Possible values: ENABLED, DISABLED
CAcert CA certificate that has issued the CRL. Required if CRL Auto Refresh is selected. Install the CA certificate on the appliance before adding the CRL.
server IP address of the LDAP server from which to fetch the CRLs.
method Method for CRL refresh. If LDAP is selected, specify the method, CA certificate, base DN, port, and LDAP server name. If HTTP is selected, specify the CA certificate, method, URL, and port. Cannot be changed after a CRL is added.
Possible values: HTTP, LDAP
url URL of the CRL distribution point.
port Port for the LDAP server. Minimum value: 1
baseDN Base distinguished name (DN), which is used in an LDAP search to search for a CRL. Citrix recommends searching for the Base DN instead of the Issuer Name from the CA certificate, because the Issuer Name field might not exactly match the LDAP directory structure’s DN.
scope Extent of the search operation on the LDAP server. Available settings function as follows: One - One level below Base DN. Base - Exactly the same level as Base DN.
Possible values: Base, One Default value: One
interval CRL refresh interval. Use the NONE setting to unset this parameter.
Possible values: MONTHLY, WEEKLY, DAILY, NOW, NONE
day Day on which to refresh the CRL, or, if the Interval parameter is not set, the number of days after which to refresh the CRL. If Interval is set to MONTHLY, specify the date. If Interval is set to WEEKLY, specify the day of the week (for example, Sun=0 and Sat=6). This parameter is not applicable if the Interval is set to DAILY. Minimum value: 0 Maximum value: 31
time Time, in hours (1-24) and minutes (1-60), at which to refresh the CRL.
bindDN Bind distinguished name (DN) to be used to access the CRL object in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.
password Password to access the CRL in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.
binary Set the LDAP-based CRL retrieval mode to binary.
Possible values: YES, NO Default value: NO
Example
1)set ssl crl crl_file -refresh ENABLE -interval MONTHLY -days 10 -time 12:00 The above example sets the CRL refresh to every Month, on date=10, and time=12:00hrs. 2)set ssl crl crl_file -refresh ENABLE -interval WEEKLY -days 1 -time 00:10 The above example sets the CRL refresh every Week, on weekday=Monday, and at time 10 past midnight. 3)set ssl crl crl_file -refresh ENABLE -interval DAILY -days 1 -time 12:00 The above example sets the CRL refresh every Day, at 12:00hrs. 4)set ssl crl crl_file -refresh ENABLE -days 10 The above example sets the CRL refresh after every 10 days. Note: The CRL will be refreshed after every 10 days. The time for CRL refresh will be 00:00 hrs. 5)set ssl crl crl_file -refresh ENABLE -time 01:00 The above example sets the CRL refresh after every 1 hour. 6)set ssl crl crl_file -refresh ENABLE -interval NOW The above example sets the CRL refresh instantaneously.
Share
Share
In this article
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.