Product Documentation

ssl certKey

Sep 12, 2016

The following operations can be performed on "ssl certKey":

add ssl certKey

Adds a certificate-key pair to memory. After it is bound to a virtual server or service, it is used for processing SSL transactions. In a high-availability configuration, the path to the certificate and the optional private key must be the same on the primary and the secondary appliance. For a server certificate, a private key is required.

Synopsys

add ssl certKey <certkeyName> (-cert <string> [-password]) [-key <string> | -fipsKey <string> | -hsmKey <string>] [-inform <inform>] [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod <positive_integer>]] [-bundle ( YES | NO )]

Arguments

certkeyName

Name for the certificate and private-key pair. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the certificate-key pair is created.

The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my cert" or 'my cert').

cert

Name of and, optionally, path to the X509 certificate file that is used to form the certificate-key pair. The certificate file should be present on the appliance's hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.

key

Name of and, optionally, path to the private-key file that is used to form the certificate-key pair. The certificate file should be present on the appliance's hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.

password

Passphrase that was used to encrypt the private-key. Use this option to load encrypted private-keys in PEM format.

fipsKey

Name of the FIPS key that was created inside the Hardware Security Module (HSM) of a FIPS appliance, or a key that was imported into the HSM.

hsmKey

Name of the HSM key that was created in the External Hardware Security Module (HSM) of a FIPS appliance.

inform

Input format of the certificate and the private-key files. The three formats supported by the appliance are:

PEM - Privacy Enhanced Mail

DER - Distinguished Encoding Rule

PFX - Personal Information Exchange

Possible values: DER, PEM, PFX

Default value: PEM

passplain

Pass phrase used to encrypt the private-key. Required when adding an encrypted private-key in PEM format.

expiryMonitor

Issue an alert when the certificate is about to expire.

Possible values: ENABLED, DISABLED

notificationPeriod

Time, in number of days, before certificate expiration, at which to generate an alert that the certificate is about to expire.

Minimum value: 10

Maximum value: 100

bundle

Parse the certificate chain as a single file after linking the server certificate to its issuer's certificate within the file.

Possible values: YES, NO

Default value: NO

Example

1) add ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem The above command loads a certificate and private key file. 2) add ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem -password Password: ******** The above command loads a certificate and private key file. Here the private key file is an encrypted key. 3) add ssl certkey fipscert -cert /nsconfig/ssl/cert.pem -fipskey fips1024 The above command loads a certificate and associates it with the corresponding FIPS key that resides within the HSM. 4) add ssl certkey externalhsmcert -cert /nsconfig/ssl/hsmcert.pem -hsmkey key_simple_rsa1 The above command loads a certificate and associates it with the corresponding HSM key that resides within the External HSM. 

rm ssl certKey

Removes all the certificate-key pairs, or the specified certificate-key pair, from the appliance. The certificate-key pair is removed only if it is not referenced by any other object. The reference count is updated when the certificate-key pair is bound to an SSL virtual server or linked to another certificate-key pair.

Synopsys

rm ssl certKey <certkeyName> ...

Arguments

certkeyName

Name of the certificate-key pair to remove.

Example

1) rm ssl certkey siteAcertkey The above command removes the certificate-key pair siteAcertkey from the system. 

set ssl certKey

Modifies the specified attributes of a certificate-key pair.

Synopsys

set ssl certKey <certkeyName> [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod <positive_integer>]]

Arguments

certkeyName

Name of the certificate-key pair to modify.

expiryMonitor

Issue an alert when the certificate is about to expire.

Possible values: ENABLED, DISABLED

notificationPeriod

Time, in number of days, before certificate expiration, at which to generate an alert that the certificate is about to expire.

Minimum value: 10

Maximum value: 100

unset ssl certKey

Use this command to remove ssl certKey settings.Refer to the set ssl certKey command for meanings of the arguments.

Synopsys

unset ssl certKey <certkeyName> [-expiryMonitor] [-notificationPeriod]

bind ssl certKey

Binds a certificate-key pair to an SSL virtual server or an SSL service.

Synopsys

bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>]

Arguments

certkeyName

Name of the certificate-key pair.

ocspResponder

Name of the OCSP responder to be associated with the CA certificate.

priority

Priority of the OCSP responder binding.

Minimum value: 1

Maximum value: 32

Example

1) bind ssl certkey cacert -ocspResponder ocsp_ca -priority 1 In the above example, the CA certificate cacert is bound with the OCSP responder ocsp_ca with priority 1, which is highest. 

Related Commands

unbind ssl certKey

Unbinds the specified certificate-key pair from the SSL virtual server or service.

Synopsys

unbind ssl certKey <certkeyName> -ocspResponder <string>

Arguments

certkeyName

Name of the certificate-key pair to unbind.

ocspResponder

Name of the OCSP responder.

Example

1) unbind ssl certkey sslvip siteAcertkey In the above example, the server certificate siteAcertkey is unbound from the SSL virtual server. 2)  unbind ssl certkey sslvip CAcertkey -CA In the above example, the CA certificate CAcertkey is unbound from the SSL virtual server.  

Related Commands

Links a certificate-key pair to its Certificate Authority (CA) certificate-key pair.

Synopsys

link ssl certKey <certkeyName> <linkCertKeyName>

Arguments

certkeyName

Name of the certificate-key pair to link to its issuer's certificate-key pair in the chain.

linkCertKeyName

Name of the Certificate Authority certificate-key pair to which to link a certificate-key pair.

Example

1) link ssl certkey siteAcertkey CAcertkey In the above example, the certificate-key siteAcertkey is bound to its issuer certificate-key pair CAcertkey. 

Related Commands

Unlinks the certificate-key pair from its Certificate-Authority (CA) certificate-key pair.

Synopsys

unlink ssl certKey <certkeyName>

Arguments

certkeyName

Name of the certificate-key pair to unlink.

Example

1) unlink ssl certkey siteAcertkey The above example unlinks the certificate 'siteAcertkey' from its Certificate-Authority (CA) certificate.

Related Commands

show ssl certKey

Displays information about all the certificate-key pairs configured on the appliance, or displays detailed information about the specified certificate-key pair.

Synopsys

show ssl certKey [<certkeyName>]

Arguments

certkeyName

Name of the certificate-key pair for which to show detailed information.

Outputs

cert

The name and location of the file containing the certificate.

key

The name and location of the file containing the key.

inform

The encoding format of the certificate and key (PEM,DER or PFX).

signatureAlg

Signature algorithm.

CertificateType

Specifies whether the certificate is of type root-CA, intermediate-CA, server, client, or client and server

serial

Serial number.

issuer

Issuer name.

clientCertNotBefore

Not-Before date.

clientCertNotAfter

Not-After date.

daysToExpiration

Days remaining for the certificate to expire.

subject

Subject name.

publickey

Public key algorithm.

publickeysize

Size of the public key.

version

Version.

priority

ocsp priority

status

Status of the certificate.

fipsKey

FIPS key ID.

hsmKey

External HSM key ID.

passcrypt

Passcrypt.

data

Vserver Id

serverName

Vserver name to which the certificate key pair is bound.

serviceName

Service name to which the certificate key pair is bound.

ocspResponder

OCSP responders bound to this certkey

expiryMonitor

Certificate expiry monitor

notificationPeriod

Certificate expiry notification period

linkCertKeyName

The name of the Certificate-Authority.

stateflag

gslbServiceFlag

Indicates that this is a gslb service

devno

count

Example

1) An example of the output of the show ssl certkey command is shown below:  2 configured certkeys: 1) Name: siteAcertkey  Cert Path: /nsconfig/ssl/siteA-cert.pem  Key Path:  /nsconfig/ssl/siteA-key.pem  Format: PEM  Status: Valid 2) Name: cert1  Cert Path: /nsconfig/ssl/server_cert.pem  Key Path: /nsconfig/ssl/server_key.pem  Format: PEM  Status: Valid  2) An example of the output of the show ssl certkey siteAcertkey command is shown below: Name: siteAcertkey  Status: Valid Version: 3 Serial Number: 02 Signature Algorithm: md5WithRSAEncryption Issuer: /C=US/ST=CA/L=Santa Clara/O=siteA/OU=Tech Validity  Not Before: Nov 11 14:58:18 2001 GMT  Not After: Aug 7 14:58:18 2004 GMT Subject: /C=US/ST-CA/L=San Jose/O=CA/OU=Security Public Key Algorithm: rsaEncryption Public Key size: 1024 

update ssl certKey

Updates the certificate or private key in a certificate-key pair. In a high availability configuration, the path to the certificate and the optional private key must be the same on the primary and secondary nodes.

Synopsys

update ssl certKey <certkeyName> [-cert <string> [-password]] [-key <string> | -fipsKey <string>] [-inform <inform>] [-noDomainCheck]

Arguments

certkeyName

Name of the certificate-key pair to update.

cert

Name of and, optionally, path to the X509 certificate file that is used to form the certificate-key pair. The certificate file should be present on the appliance's hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.

key

Name of and, optionally, path to the private-key file that is used to form the certificate-key pair. The certificate file should be present on the appliance's hard-disk drive or solid-state drive. Storing a certificate in any location other than the default might cause inconsistency in a high availability setup. /nsconfig/ssl/ is the default path.

password

Passphrase that was used to encrypt the private-key. Use this option to load encrypted private-keys in PEM format.

fipsKey

Name of the FIPS key that was created inside the Hardware Security Module (HSM) of a FIPS appliance, or a key that was imported into the HSM.

inform

Input format of the certificate and the private-key files. The three formats supported by the appliance are:

PEM - Privacy Enhanced Mail

DER - Distinguished Encoding Rule

PFX - Personal Information Exchange

Possible values: DER, PEM, PFX

Default value: PEM

passplain

Pass phrase used to encrypt the private-key. Required when adding an encrypted private-key in PEM format.

noDomainCheck

Override the check for matching domain names during a certificate update operation.

Example

1)     update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem The above command updates a certificate and private key file. 2)      update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem -password Password: ******** The above command updates a certificate and private key file. Here the private key file is an encrypted key. 3)  update ssl certkey mydomaincert The above command updates the certificate using the same parameters (-cert path/-key path) that it was added with.