ADC CLI Commands

ssl-crl

The following operations can be performed on “ssl-crl”:

create set add rm show unset

create ssl crl

Revokes a certificate, or list of certificates, or generates a CRL for the list of revoked certificates.

Synopsis

create ssl crl (-revoke | -genCRL ) {-password }

Arguments

CAcertFile Name of and, optionally, path to the CA certificate file. /nsconfig/ssl/ is the default path. Maximum value: 63

CAkeyFile Name of and, optionally, path to the CA key file. /nsconfig/ssl/ is the default path Maximum value: 63

indexFile Name of and, optionally, path to the file containing the serial numbers of all the certificates that are revoked. Revoked certificates are appended to the file. /nsconfig/ssl/ is the default path Maximum value: 63

revoke Name of and, optionally, path to the certificate to be revoked. /nsconfig/ssl/ is the default path. Maximum value: 63

genCRL Name of and, optionally, path to the CRL file to be generated. The list of certificates that have been revoked is obtained from the index file. /nsconfig/ssl/ is the default path. Maximum value: 63

password Password for the CA key file. Maximum value: 31

Example

1)create crl /nsconfig/ssl/cacert.pem /nsconfig/ssl/cakey.pem /nsconfig/ssl/index.txt -gencrl /var/netscaler/ssl/crl.pem

set ssl crl

Modifies all the parameters of a CRL, except the CRL name and method.

Synopsis

set ssl crl [-refresh ( ENABLED | DISABLED )] [-CAcert ] [-server <ip_addr|ipv6_addr|*> | -url ] [-method ( HTTP | LDAP )] [-port ] [-baseDN ] [-scope ( Base | One )] [-interval ] [-day ] [-time ] [-bindDN ] {-password } [-binary ( YES | NO )]

Arguments

crlName Name of the CRL to be modified.

refresh Set CRL auto refresh.

Possible values: ENABLED, DISABLED

CAcert CA certificate that has issued the CRL. Required if CRL Auto Refresh is selected. Install the CA certificate on the appliance before adding the CRL.

server IP address of the LDAP server from which to fetch the CRLs.

method Method for CRL refresh. If LDAP is selected, specify the method, CA certificate, base DN, port, and LDAP server name. If HTTP is selected, specify the CA certificate, method, URL, and port. Cannot be changed after a CRL is added.

Possible values: HTTP, LDAP

url URL of the CRL distribution point.

port Port for the LDAP server. Minimum value: 1

baseDN Base distinguished name (DN), which is used in an LDAP search to search for a CRL. Citrix recommends searching for the Base DN instead of the Issuer Name from the CA certificate, because the Issuer Name field might not exactly match the LDAP directory structure’s DN.

scope Extent of the search operation on the LDAP server. Available settings function as follows: One - One level below Base DN. Base - Exactly the same level as Base DN.

Possible values: Base, One Default value: One

interval CRL refresh interval. Use the NONE setting to unset this parameter.

Possible values: MONTHLY, WEEKLY, DAILY, NOW, NONE

day Day on which to refresh the CRL, or, if the Interval parameter is not set, the number of days after which to refresh the CRL. If Interval is set to MONTHLY, specify the date. If Interval is set to WEEKLY, specify the day of the week (for example, Sun=0 and Sat=6). This parameter is not applicable if the Interval is set to DAILY. Minimum value: 0 Maximum value: 31

time Time, in hours (1-24) and minutes (1-60), at which to refresh the CRL.

bindDN Bind distinguished name (DN) to be used to access the CRL object in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.

password Password to access the CRL in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.

binary Set the LDAP-based CRL retrieval mode to binary.

Possible values: YES, NO Default value: NO

Example

1)set ssl crl crl_file -refresh ENABLE -interval MONTHLY -days 10 -time 12:00 The above example sets the CRL refresh to every Month, on date=10, and time=12:00hrs. 2)set ssl crl crl_file -refresh ENABLE -interval WEEKLY -days 1 -time 00:10 The above example sets the CRL refresh every Week, on weekday=Monday, and at time 10 past midnight. 3)set ssl crl crl_file -refresh ENABLE -interval DAILY -days 1 -time 12:00 The above example sets the CRL refresh every Day, at 12:00hrs. 4)set ssl crl crl_file -refresh ENABLE -days 10 The above example sets the CRL refresh after every 10 days. Note: The CRL will be refreshed after every 10 days. The time for CRL refresh will be 00:00 hrs. 5)set ssl crl crl_file -refresh ENABLE -time 01:00 The above example sets the CRL refresh after every 1 hour. 6)set ssl crl crl_file -refresh ENABLE -interval NOW The above example sets the CRL refresh instantaneously.

add ssl crl

Adds a Certificate Revocation List (CRL). A CRL identifies invalid certificates by serial number and issuer. In a high availability configuration, the CRL must be in the same location on the primary and secondary nodes.

Synopsis

add ssl crl [-inform ( DER | PEM )] [-refresh ( ENABLED | DISABLED )] [-CAcert ] [-method ( HTTP | LDAP )] [-server <ip_addr|ipv6_addr|*> | -url ] [-port ] [-baseDN ] [-scope ( Base | One )] [-interval ] [-day ] [-time ] [-bindDN ] {-password } [-binary ( YES | NO )]

Arguments

crlName Name for the Certificate Revocation List (CRL). Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the CRL is created.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my crl” or ‘my crl’).

crlPath Path to the CRL file. /var/netscaler/ssl/ is the default path.

inform Input format of the CRL file. The two formats supported on the appliance are: PEM - Privacy Enhanced Mail. DER - Distinguished Encoding Rule.

Possible values: DER, PEM Default value: PEM

refresh Set CRL auto refresh.

Possible values: ENABLED, DISABLED

CAcert CA certificate that has issued the CRL. Required if CRL Auto Refresh is selected. Install the CA certificate on the appliance before adding the CRL.

method Method for CRL refresh. If LDAP is selected, specify the method, CA certificate, base DN, port, and LDAP server name. If HTTP is selected, specify the CA certificate, method, URL, and port. Cannot be changed after a CRL is added.

Possible values: HTTP, LDAP

server IP address of the LDAP server from which to fetch the CRLs.

url URL of the CRL distribution point.

port Port for the LDAP server. Minimum value: 1

baseDN Base distinguished name (DN), which is used in an LDAP search to search for a CRL. Citrix recommends searching for the Base DN instead of the Issuer Name from the CA certificate, because the Issuer Name field might not exactly match the LDAP directory structure’s DN.

scope Extent of the search operation on the LDAP server. Available settings function as follows: One - One level below Base DN. Base - Exactly the same level as Base DN.

Possible values: Base, One Default value: One

interval CRL refresh interval. Use the NONE setting to unset this parameter.

Possible values: MONTHLY, WEEKLY, DAILY, NOW, NONE

day Day on which to refresh the CRL, or, if the Interval parameter is not set, the number of days after which to refresh the CRL. If Interval is set to MONTHLY, specify the date. If Interval is set to WEEKLY, specify the day of the week (for example, Sun=0 and Sat=6). This parameter is not applicable if the Interval is set to DAILY. Minimum value: 0 Maximum value: 31

time Time, in hours (1-24) and minutes (1-60), at which to refresh the CRL.

bindDN Bind distinguished name (DN) to be used to access the CRL object in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.

password Password to access the CRL in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.

binary Set the LDAP-based CRL retrieval mode to binary.

Possible values: YES, NO Default value: NO

Example

1)add ssl certkey CAcert -cert /nsconfig/ssl/ca_cert.pem add ssl crl crl_file /var/netscaler/ssl/crl.pem -cacert CAcert The above command adds a CRL from local storage system (HDD) with no refresh set. 2)add ssl certkey CAcert -cert /nsconfig/ssl/ca_cert.pem add ssl crl crl_file /var/netscaler/ssl/crl_new.pem -cacert Cacert -refresh ENABLED -server 10.102.1.100 -port 389 -interval DAILY -baseDN o=example.com,ou=security,c=US The above command adds a CRL to the system by fetching the CRL from the LDAP server and setting the refresh interval as daily.

rm ssl crl

Removes the specified CRL from the appliance.

Synopsis

rm ssl crl ...

Arguments

crlName Name of the CRL to remove.

Example

1)rm ssl crl ca_crl The above CLI command to delete the CRL object ca_crl from the system is.

show ssl crl

Displays information about all the CRLs configured on the appliance, or displays detailed information about the specified CRL.

Synopsis

show ssl crl []

Arguments

crlName Name of the CRL for which to show detailed information.

Output

crlPath The name and path to the file containing the CRL.

inform The encoding format of the CRL (PEM or DER).

CAcert The CA certificate that issued the CRL.

refresh The state of the auto refresh feature for the CRL.

scope Extent of the search operation on the LDAP server. Base: Exactly the same level as basedn One : One level below basedn.

server The IP address of the LDAP/HTTP server from which the CRLs are to be fetched.

port The port of the LDAP/HTTP server.

url URL of the CRL distribution point.

method The method for CRL refresh (LDAP or HTTP).

baseDN The baseDN to be used to fetch the CRL object from the LDAP server.

interval The CRL refresh interval.

day The day when the CRL is to be refreshed.

time The time when the CRL is to be refreshed.

bindDN The bindDN to be used to access the CRL object in the LDAP repository.

password The password to be is used to access the CRL object in the LDAP repository.

flags CRL status flag.

lastupdatetime Last CRL refresh time.

version CRL version.

signaturealgo Signature algorithm.

issuer Issuer name.

lastupdate Last update time.

nextupdate Next update time.

date Certificate Revocation date

number Certificate Serial number.

binary Mode of retrieval of CRL from LDAP server.

daysToExpiration Number of days remaining for the CRL to expire.

devno count stateflag

Example

1) An example output of the show ssl crl command is as follows: 1 configured CRL(s) 1 Name: ca_crl CRL Path: /var/netscaler/ssl/cr1.der Format: DER Cacert: ca_cert Refresh: DISABLED

2) An example of the output of the show ssl crl ca_crl command is as follows: Name: ca_crl Status: Valid, Days to expiration: 21 CRL Path: /var/netscaler/ssl/cr1.der Format: DERCAcert: ca_cert Refresh: DISABLED Version: 1 Signature Algorithm: md5WithRSAEncryption Issuer: /C=US/ST=CA/L=santa clara /O=CA/OU=security Last_update:Dec 21 09:47:16 2001 GMT Next_update:Jan 20 09:47:16 2002 GMT Revoked Certificates: Serial Number: 01 Revocation Date:Dec 21 09:47:02 2001 GMT Serial Number: 02 Revocation Date:Dec 21 09:47:02 2001 GMT

unset ssl crl

Use this command to remove ssl crl settings.Refer to the set ssl crl command for meanings of the arguments.

Synopsis

unset ssl crl [-refresh] [-CAcert] [-server] [-method] [-url] [-port] [-baseDN] [-scope] [-interval] [-day] [-time] [-bindDN] [-password] [-binary]

ssl-crl