Home > Configuration > SSL > addsslcrl

addsslcrl

Use this method to adds a Certificate Revocation List (CRL). A CRL identifies invalid certificates by serial number and issuer. In a high availability configuration, the CRL must be in the same location on the primary and secondary nodes.

Syntax



Parameters

crlname

Name for the Certificate Revocation List (CRL). Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the CRL is created. The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my crl" or 'my crl').
This is mandatory parameter.

crlpath

Path to the CRL file. /var/netscaler/ssl/ is the default path.
This is mandatory parameter.

inform

Input format of the CRL file. The two formats supported on the appliance are: PEM - Privacy Enhanced Mail. DER - Distinguished Encoding Rule.
Default value = FORMAT_PEM.

refresh

Set CRL auto refresh.

cacert

CA certificate that has issued the CRL. Required if CRL Auto Refresh is selected. Install the CA certificate on the appliance before adding the CRL.

method

Method for CRL refresh. If LDAP is selected, specify the method, CA certificate, base DN, port, and LDAP server name. If HTTP is selected, specify the CA certificate, method, URL, and port. Cannot be changed after a CRL is added.

server

IP address of the LDAP server from which to fetch the CRLs.

url

URL of the CRL distribution point.

port

Port for the LDAP server.
Minimum value = 1.

basedn

Base distinguished name (DN), which is used in an LDAP search to search for a CRL. Citrix recommends searching for the Base DN instead of the Issuer Name from the CA certificate, because the Issuer Name field might not exactly match the LDAP directory structure's DN.

scope

Extent of the search operation on the LDAP server. Available settings function as follows: One - One level below Base DN. Base - Exactly the same level as Base DN.
Default value = NSAPI_ONESCOPE.

interval

CRL refresh interval. Use the NONE setting to unset this parameter.

day

Day on which to refresh the CRL, or, if the Interval parameter is not set, the number of days after which to refresh the CRL. If Interval is set to MONTHLY, specify the date. If Interval is set to WEEKLY, specify the day of the week (for example, Sun=0 and Sat=6). This parameter is not applicable if the Interval is set to DAILY.
Maximum value = 0x1F.

time

Time, in hours (1-24) and minutes (1-60), at which to refresh the CRL.

binddn

Bind distinguished name (DN) to be used to access the CRL object in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.

password

Password to access the CRL in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.

binary

Set the LDAP-based CRL retrieval mode to binary.
Default value = NO.

Return Value

Returns simpleResult

See Also


createsslcrl

getsslcrl

rmsslcrl

setsslcrl_basedn

setsslcrl_binary

setsslcrl_binddn

setsslcrl_cacert

setsslcrl_interval

setsslcrl_method

setsslcrl_password

setsslcrl_port

setsslcrl_refresh

setsslcrl_scope

setsslcrl_server

setsslcrl_time

unsetsslcrl_basedn

unsetsslcrl_binary

unsetsslcrl_binddn

unsetsslcrl_cacert

unsetsslcrl_day

unsetsslcrl_interval

unsetsslcrl_method

unsetsslcrl_password

unsetsslcrl_port

unsetsslcrl_refresh

unsetsslcrl_scope

unsetsslcrl_server

unsetsslcrl_time

unsetsslcrl_url