-
-
-
-
-
-
-
-
ssl-ocspResponder
-
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
ssl-ocspResponder
The following operations can be performed on “ssl-ocspResponder”:
show | add | rm | set | unset |
show ssl ocspResponder
Displays information about all the OCSP responders configured on the appliance, or displays detailed information about the specified OCSP responder.
Synopsis
show ssl ocspResponder [
Arguments
name Name of the OCSP responder for which to show detailed information.
Output
url URL of the OCSP responder.
cache Enable caching of responses. Caching of responses received from the OCSP responder enables faster responses to the clients and reduces the load on the OCSP responder.
cacheTimeout Timeout for caching the OCSP response. After the timeout, the Citrix ADC sends a fresh request to the OCSP responder for the certificate status. If a timeout is not specified, the timeout provided in the OCSP response applies.
batchingDepth Number of client certificates to batch together into one OCSP request. Batching avoids overloading the OCSP responder. A value of 1 signifies that each request is queried independently. For a value greater than 1, specify a timeout (batching delay) to avoid inordinately delaying the processing of a single certificate.
batchingDelay Maximum time, in milliseconds, to wait to accumulate OCSP requests to batch. Does not apply if the Batching Depth is 1.
ocspUrlResolveTimeout Time, in milliseconds, to wait for an OCSP URL Resolution. When this time elapses, an error message appears or the transaction is forwarded, depending on the settings on the virtual server.
resptimeout Maximum time, in mS, to wait for an OCSP response before giving up. Defaults to 2000 mS. If this is set to 0, Citrix ADC will wait for an indefinite amount of time.
producedAtTimeSkew Time, in seconds, for which the Citrix ADC waits before considering the response as invalid. The response is considered invalid if the Produced At time stamp in the OCSP response exceeds or precedes the current Citrix ADC clock time by the amount of time specified.
responderCert trustResponder A certificate to use to validate OCSP responses. Alternatively, if -trustResponder is specified, no verification will be done on the reponse. If both are omitted, only the response times (producedAt, lastUpdate, nextUpdate) will be verified.
signingCert Certificate-key pair that is used to sign OCSP requests. If this parameter is not set, the requests are not signed.
useNonce Add a nonce to the OCSP request. Protects against replay attacks.
insertClientCert Include the complete client certificate in the OCSP request.
ocspAiaRefcount No of CA certs referencing this AIA responder
httpMethod HTTP method used to send ocsp request. POST is the default httpmethod. If request length is > 255, POST wil be used even if GET is set as httpMethod
ocspIpAddrStr DNS resolved IP address.
port Port number on which OCSP Server listens.
devno count stateflag
add ssl ocspResponder
Adds an OCSP responder. An OCSP responder identifies the OCSP server that validates a certificate. Citrix ADCs support OCSP as defined in RFC 2560.
Synopsis
add ssl ocspResponder
Arguments
name Name for the OCSP responder. Cannot begin with a hash (#) or space character and must contain only ASCII alphanumeric, underscore (_), hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the responder is created.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my responder” or ‘my responder’).
url URL of the OCSP responder.
cache Enable caching of responses. Caching of responses received from the OCSP responder enables faster responses to the clients and reduces the load on the OCSP responder.
Possible values: ENABLED, DISABLED Default value: DISABLED
cacheTimeout Timeout for caching the OCSP response. After the timeout, the Citrix ADC sends a fresh request to the OCSP responder for the certificate status. If a timeout is not specified, the timeout provided in the OCSP response applies. Default value: 1 Minimum value: 1 Maximum value: 43200
batchingDepth Number of client certificates to batch together into one OCSP request. Batching avoids overloading the OCSP responder. A value of 1 signifies that each request is queried independently. For a value greater than 1, specify a timeout (batching delay) to avoid inordinately delaying the processing of a single certificate. Minimum value: 1 Maximum value: 8
batchingDelay Maximum time, in milliseconds, to wait to accumulate OCSP requests to batch. Does not apply if the Batching Depth is 1. Minimum value: 1 Maximum value: 10000
resptimeout Time, in milliseconds, to wait for an OCSP response. When this time elapses, an error message appears or the transaction is forwarded, depending on the settings on the virtual server. Includes Batching Delay time. Minimum value: 100 Maximum value: 120000
ocspUrlResolveTimeout Time, in milliseconds, to wait for an OCSP URL Resolution. When this time elapses, an error message appears or the transaction is forwarded, depending on the settings on the virtual server. Minimum value: 100 Maximum value: 2000
responderCert trustResponder A certificate to use to validate OCSP responses. Alternatively, if -trustResponder is specified, no verification will be done on the reponse. If both are omitted, only the response times (producedAt, lastUpdate, nextUpdate) will be verified.
producedAtTimeSkew Time, in seconds, for which the Citrix ADC waits before considering the response as invalid. The response is considered invalid if the Produced At time stamp in the OCSP response exceeds or precedes the current Citrix ADC clock time by the amount of time specified. Default value: 300 Minimum value: 0 Maximum value: 86400
signingCert Certificate-key pair that is used to sign OCSP requests. If this parameter is not set, the requests are not signed.
useNonce Enable the OCSP nonce extension, which is designed to prevent replay attacks.
Possible values: YES, NO
insertClientCert Include the complete client certificate in the OCSP request.
Possible values: YES, NO
httpMethod HTTP method used to send ocsp request. POST is the default httpmethod. If request length is > 255, POST wil be used even if GET is set as httpMethod
Possible values: GET, POST Default value: POST
Example
1) add ssl ocspResponder -url http://ocsp.example.com -producedAtTimeSkew 0 The above command will only allow responses that were generated in the same second to be used. That is, if the response was generated at 12:00:01, it would have to be received by the Citrix ADC by 12:00:59 to be considered still valid. 2) add ssl ocspResponder -url http://ocsp.example.com -producedAtTimeSkew 300 This command will allow responses to vary up to five minutes plus or minus. That is, if the response has a producedAt time of 12:00:00, it will be accepted at the Citrix ADC if the local clock is between 11:55:00 and 12:05:00
rm ssl ocspResponder
Removes the specified OCSP responder from the appliance.
Synopsis
rm ssl ocspResponder
Arguments
name Name of the OCSP responder to remove. The OCSP responder is removed only if it is not referenced by any other object.
Example
1)rm ssl ocspResponder o1 The above command removes the OCSP responder o1 from the system.
set ssl ocspResponder
Modifies the parameters of an OCSP responder.
Synopsis
set ssl ocspResponder
Arguments
name Name of the OCSP responder to modify.
url URL of the OCSP responder.
cache Enable caching of responses. Caching of responses received from the OCSP responder enables faster responses to the clients and reduces the load on the OCSP responder.
Possible values: ENABLED, DISABLED Default value: DISABLED
cacheTimeout Timeout for caching the OCSP response. After the timeout, the Citrix ADC sends a fresh request to the OCSP responder for the certificate status. If a timeout is not specified, the timeout provided in the OCSP response applies. Default value: 1 Minimum value: 1 Maximum value: 43200
batchingDepth Number of client certificates to batch together into one OCSP request. Batching avoids overloading the OCSP responder. A value of 1 signifies that each request is queried independently. For a value greater than 1, specify a timeout (batching delay) to avoid inordinately delaying the processing of a single certificate. Minimum value: 1 Maximum value: 8
batchingDelay Maximum time, in milliseconds, to wait to accumulate OCSP requests to batch. Does not apply if the Batching Depth is 1. Minimum value: 1 Maximum value: 10000
resptimeout Time, in milliseconds, to wait for an OCSP response. When this time elapses, an error message appears or the transaction is forwarded, depending on the settings on the virtual server. Includes Batching Delay time. Minimum value: 100 Maximum value: 120000
ocspUrlResolveTimeout Time, in milliseconds, to wait for an OCSP URL Resolution. When this time elapses, an error message appears or the transaction is forwarded, depending on the settings on the virtual server. Minimum value: 100 Maximum value: 2000
responderCert trustResponder A certificate to use to validate OCSP responses. Alternatively, if -trustResponder is specified, no verification will be done on the reponse. If both are omitted, only the response times (producedAt, lastUpdate, nextUpdate) will be verified.
producedAtTimeSkew Time, in seconds, for which the Citrix ADC waits before considering the response as invalid. The response is considered invalid if the Produced At time stamp in the OCSP response exceeds or precedes the current Citrix ADC clock time by the amount of time specified. Default value: 300 Minimum value: 0 Maximum value: 86400
signingCert Certificate-key pair that is used to sign OCSP requests. If this parameter is not set, the requests are not signed.
useNonce Enable the OCSP nonce extension, which is designed to prevent replay attacks.
Possible values: YES, NO
insertClientCert Include the complete client certificate in the OCSP request.
Possible values: YES, NO
httpMethod HTTP method used to send ocsp request. POST is the default httpmethod. If request length is > 255, POST wil be used even if GET is set as httpMethod
Possible values: GET, POST Default value: POST
Example
1) add ssl ocspResponder -url http://ocsp.example.com -producedAtTimeSkew 0 The above command will only allow responses that were generated in the same second to be used. That is, if the response was generated at 12:00:01, it would have to be received by the Citrix ADC by 12:00:59 to be considered still valid. 2) add ssl ocspResponder -url http://ocsp.example.com -producedAtTimeSkew 300 This command will allow responses to vary up to five minutes plus or minus. That is, if the response has a producedAt time of 12:00:00, it will be accepted at the Citrix ADC if the local clock is between 11:55:00 and 12:05:00
unset ssl ocspResponder
Removes the attributes of an OCSP responder. Attributes for which a default value is available revert to their default values. Refer to the set ssl ocspResponder command for descriptions of the arguments..Refer to the set ssl ocspResponder command for meanings of the arguments.
Synopsis
unset ssl ocspResponder
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.