Product Documentation

ssl crl

Sep 12, 2016

The following operations can be performed on "ssl crl":

add | create | rm | set | unset | show

add ssl crl

Adds a Certificate Revocation List (CRL). A CRL identifies invalid certificates by serial number and issuer. In a high availability configuration, the CRL must be in the same location on the primary and secondary nodes.

Synopsys

add ssl crl <crlName> <crlPath> [-inform ( DER | PEM )] [-refresh ( ENABLED | DISABLED )] [-CAcert <string>] [-method ( HTTP | LDAP )] [-server <ip_addr|ipv6_addr|*> | -url <URL>] [-port <port>] [-baseDN <string>] [-scope ( Base | One )] [-interval <interval>] [-day <integer>] [-time <HH:MM>] [-bindDN <string>] {-password } [-binary ( YES | NO )]

Arguments

crlName

Name for the Certificate Revocation List (CRL). Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the CRL is created.

The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my crl" or 'my crl').

crlPath

Path to the CRL file. /var/netscaler/ssl/ is the default path.

inform

Input format of the CRL file. The two formats supported on the appliance are:

PEM - Privacy Enhanced Mail.

DER - Distinguished Encoding Rule.

Possible values: DER, PEM

Default value: PEM

refresh

Set CRL auto refresh.

Possible values: ENABLED, DISABLED

CAcert

CA certificate that has issued the CRL. Required if CRL Auto Refresh is selected. Install the CA certificate on the appliance before adding the CRL.

method

Method for CRL refresh. If LDAP is selected, specify the method, CA certificate, base DN, port, and LDAP server name. If HTTP is selected, specify the CA certificate, method, URL, and port. Cannot be changed after a CRL is added.

Possible values: HTTP, LDAP

server

IP address of the LDAP server from which to fetch the CRLs.

url

URL of the CRL distribution point.

port

Port for the LDAP server.

Minimum value: 1

baseDN

Base distinguished name (DN), which is used in an LDAP search to search for a CRL. Citrix recommends searching for the Base DN instead of the Issuer Name from the CA certificate, because the Issuer Name field might not exactly match the LDAP directory structure's DN.

scope

Extent of the search operation on the LDAP server. Available settings function as follows:

One - One level below Base DN.

Base - Exactly the same level as Base DN.

Possible values: Base, One

Default value: One

interval

CRL refresh interval. Use the NONE setting to unset this parameter.

Possible values: MONTHLY, WEEKLY, DAILY, NONE

day

Day on which to refresh the CRL, or, if the Interval parameter is not set, the number of days after which to refresh the CRL. If Interval is set to MONTHLY, specify the date. If Interval is set to WEEKLY, specify the day of the week (for example, Sun=0 and Sat=6). This parameter is not applicable if the Interval is set to DAILY.

Maximum value: 31

time

Time, in hours (1-24) and minutes (1-60), at which to refresh the CRL.

bindDN

Bind distinguished name (DN) to be used to access the CRL object in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.

password

Password to access the CRL in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.

binary

Set the LDAP-based CRL retrieval mode to binary.

Possible values: YES, NO

Default value: NO

Example

1) add ssl certkey CAcert -cert /nsconfig/ssl/ca_cert.pem add ssl crl crl_file /var/netscaler/ssl/crl.pem -cacert CAcert The above command adds a CRL from local storage system (HDD) with no refresh set. 2) add ssl certkey CAcert -cert /nsconfig/ssl/ca_cert.pem add ssl crl crl_file /var/netscaler/ssl/crl_new.pem -cacert Cacert -refresh ENABLED -server 10.102.1.100 -port 389 -interval DAILY -baseDN o=example.com,ou=security,c=US The above command adds a CRL to the system by fetching the CRL from the LDAP server and setting the refresh interval as daily. 

create ssl crl

Revokes a certificate, or list of certificates, or generates a CRL for the list of revoked certificates.

Synopsys

create ssl crl <CAcertFile> <CAkeyFile> <indexFile> (-revoke <input_filename> | -genCRL <output_filename>) {-password }

Arguments

CAcertFile

Name of and, optionally, path to the CA certificate file.

/nsconfig/ssl/ is the default path.

Maximum value: 63

CAkeyFile

Name of and, optionally, path to the CA key file. /nsconfig/ssl/ is the default path

Maximum value: 63

indexFile

Name of and, optionally, path to the file containing the serial numbers of all the certificates that are revoked. Revoked certificates are appended to the file. /nsconfig/ssl/ is the default path

Maximum value: 63

revoke

Name of and, optionally, path to the certificate to be revoked. /nsconfig/ssl/ is the default path.

Maximum value: 63

genCRL

Name of and, optionally, path to the CRL file to be generated. The list of certificates that have been revoked is obtained from the index file. /nsconfig/ssl/ is the default path.

Maximum value: 63

password

Password for the CA key file.

Maximum value: 31

Example

1) create crl /nsconfig/ssl/cacert.pem /nsconfig/ssl/cakey.pem /nsconfig/ssl/index.txt -gencrl /var/netscaler/ssl/crl.pem

rm ssl crl

Removes the specified CRL from the appliance.

Synopsys

rm ssl crl <crlName> ...

Arguments

crlName

Name of the CRL to remove.

Example

1) rm ssl crl ca_crl The above CLI command to delete the CRL object ca_crl from the system is. 

set ssl crl

Modifies all the parameters of a CRL, except the CRL name and method.

Synopsys

set ssl crl <crlName> [-refresh ( ENABLED | DISABLED )] [-CAcert <string>] [-server <ip_addr|ipv6_addr|*> | -url <URL>] [-method ( HTTP | LDAP )] [-port <port>] [-baseDN <string>] [-scope ( Base | One )] [-interval <interval>] [-day <integer>] [-time <HH:MM>] [-bindDN <string>] {-password } [-binary ( YES | NO )]

Arguments

crlName

Name of the CRL to be modified.

refresh

Set CRL auto refresh.

Possible values: ENABLED, DISABLED

CAcert

CA certificate that has issued the CRL. Required if CRL Auto Refresh is selected. Install the CA certificate on the appliance before adding the CRL.

server

IP address of the LDAP server from which to fetch the CRLs.

method

Method for CRL refresh. If LDAP is selected, specify the method, CA certificate, base DN, port, and LDAP server name. If HTTP is selected, specify the CA certificate, method, URL, and port. Cannot be changed after a CRL is added.

Possible values: HTTP, LDAP

url

URL of the CRL distribution point.

port

Port for the LDAP server.

Minimum value: 1

baseDN

Base distinguished name (DN), which is used in an LDAP search to search for a CRL. Citrix recommends searching for the Base DN instead of the Issuer Name from the CA certificate, because the Issuer Name field might not exactly match the LDAP directory structure's DN.

scope

Extent of the search operation on the LDAP server. Available settings function as follows:

One - One level below Base DN.

Base - Exactly the same level as Base DN.

Possible values: Base, One

Default value: One

interval

CRL refresh interval. Use the NONE setting to unset this parameter.

Possible values: MONTHLY, WEEKLY, DAILY, NOW, NONE

day

Day on which to refresh the CRL, or, if the Interval parameter is not set, the number of days after which to refresh the CRL. If Interval is set to MONTHLY, specify the date. If Interval is set to WEEKLY, specify the day of the week (for example, Sun=0 and Sat=6). This parameter is not applicable if the Interval is set to DAILY.

Maximum value: 31

time

Time, in hours (1-24) and minutes (1-60), at which to refresh the CRL.

bindDN

Bind distinguished name (DN) to be used to access the CRL object in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.

password

Password to access the CRL in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.

binary

Set the LDAP-based CRL retrieval mode to binary.

Possible values: YES, NO

Default value: NO

Example

1) set ssl crl crl_file -refresh ENABLE -interval MONTHLY -days 10 -time 12:00 The above example sets the CRL refresh to every Month, on date=10, and time=12:00hrs. 2) set ssl crl crl_file -refresh ENABLE -interval WEEKLY -days 1 -time 00:10 The above example sets the CRL refresh every Week, on weekday=Monday, and at time 10 past midnight. 3) set ssl crl crl_file -refresh ENABLE -interval DAILY -days 1 -time 12:00 The above example sets the CRL refresh every Day, at 12:00hrs. 4) set ssl crl crl_file -refresh ENABLE -days 10 The above example sets the CRL refresh after every 10 days. Note: The CRL will be refreshed after every 10 days. The time for CRL refresh will be 00:00 hrs. 5) set ssl crl crl_file -refresh ENABLE -time 01:00 The above example sets the CRL refresh after every 1 hour. 6) set ssl crl crl_file -refresh ENABLE -interval NOW The above example sets the CRL refresh instantaneously. 

unset ssl crl

Use this command to remove ssl crl settings.Refer to the set ssl crl command for meanings of the arguments.

Synopsys

unset ssl crl <crlName> [-refresh] [-CAcert] [-server] [-method] [-url] [-port] [-baseDN] [-scope] [-interval] [-day] [-time] [-bindDN] [-password] [-binary]

show ssl crl

Displays information about all the CRLs configured on the appliance, or displays detailed information about the specified CRL.

Synopsys

show ssl crl [<crlName>]

Arguments

crlName

Name of the CRL for which to show detailed information.

Outputs

crlPath

The name and path to the file containing the CRL.

inform

The encoding format of the CRL (PEM or DER).

CAcert

The CA certificate that issued the CRL.

refresh

The state of the auto refresh feature for the CRL.

scope

Extent of the search operation on the LDAP server.

Base: Exactly the same level as basedn

One : One level below basedn.

server

The IP address of the LDAP/HTTP server from which the CRLs are to be fetched.

port

The port of the LDAP/HTTP server.

url

URL of the CRL distribution point.

method

The method for CRL refresh (LDAP or HTTP).

baseDN

The baseDN to be used to fetch the CRL object from the LDAP server.

interval

The CRL refresh interval.

day

The day when the CRL is to be refreshed.

time

The time when the CRL is to be refreshed.

bindDN

The bindDN to be used to access the CRL object in the LDAP repository.

password

The password to be is used to access the CRL object in the LDAP repository.

flags

CRL status flag.

lastupdatetime

Last CRL refresh time.

version

CRL version.

signaturealgo

Signature algorithm.

issuer

Issuer name.

lastupdate

Last update time.

nextupdate

Next update time.

date

Certificate Revocation date

number

Certificate Serial number.

binary

Mode of retrieval of CRL from LDAP server.

daysToExpiration

Number of days remaining for the CRL to expire.

devno

count

stateflag

Example

1) An example output of the show ssl crl command is as follows: 1 configured CRL(s) 1 Name: ca_crl CRL Path: /var/netscaler/ssl/cr1.der Format: DER Cacert: ca_cert Refresh: DISABLED  2) An example of the output of the show ssl crl ca_crl command is as follows: Name: ca_crl Status: Valid, Days to expiration: 21 CRL Path: /var/netscaler/ssl/cr1.der Format: DER CAcert: ca_cert Refresh: DISABLED Version: 1 Signature Algorithm: md5WithRSAEncryption Issuer: /C=US/ST=CA/L=santa clara /O=CA/OU=security Last_update:Dec 21 09:47:16 2001 GMT Next_update:Jan 20 09:47:16 2002 GMT Revoked Certificates:  Serial Number: 01  Revocation Date:Dec 21 09:47:02 2001 GMT  Serial Number: 02  Revocation Date:Dec 21 09:47:02 2001 GMT