security ssl show
Display the SSL configuration for HTTP servers
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
This command displays the configuration of encrypted HTTP (SSL) for Vservers in the cluster. Depending on the requirements of the individual node's or cluster's web services (displayed by the vserver services web show command), this encryption might or might not be used. If the Vserver does not have a certificate associated with it, SSL will not be available.
Parameters
- {
[-fields <fieldname>,…]
-
If you specify the
-fields <fieldname>, …
parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify. - |
[-ocsp ]
-
If you specify the
-ocsp
parameter, the command displays the Online Certificate Status Protocol configuration. - |
[-instance ]
} -
If you specify the
-instance
parameter, the command displays detailed information about all fields. [-vserver <Vserver Name>]
- Vserver-
Identifies a Vserver for hosting SSL-encrypted web services.
[-ca <text>]
- Server Certificate Issuing CA-
Filters the display of SSL configuration by specifying the Certificate Authority (CA) that issued the server certificate.
[-serial <text>]
- Server Certificate Serial Number-
Filters the display of SSL configuration by specifying the serial number of a server certificate.
[-common-name <FQDN or Custom Common Name>]
- Server Certificate Common Name-
Filters the display of SSL configuration by specifying the common name for the server certificate.
[-server-enabled {true|false}]
- SSL Server Authentication Enabled-
Filters the display of SSL configuration according to whether the SSL server authentication is enabled or disabled. Vservers have self-signed certificates automatically generated during their creation. These Vserver self-signed certificates are server-enabled by default.
[-client-enabled {true|false}]
- SSL Client Authentication Enabled-
Filters the display of SSL configuration according to whether the SSL client authentication is enabled or disabled. You can enable client authentication only when server authentication is enabled.
[-ocsp-enabled {true|false}]
- Online Certificate Status Protocol Validation Enabled-
Filters the display of SSL configuration when the Online Certificate Status Protocol validation is enabled.
[-ocsp-default-responder <text>]
- URI of the Default Responder for OCSP Validation-
Filters the display of SSL configuration according to the URI of the default responder for OCSP validation.
[-ocsp-override-responder {true|false}]
- Force the Use of the Default Responder URI for OCSP Validation-
Filters the display of SSL configuration, which forces the use of the default responder URI for OCSP validation.
[-ocsp-responder-timeout <[<integer>d][<integer>h][<integer>m][<integer>s]>]
- Timeout for OCSP Queries-
Filters the display of SSL configuration according to the timeout for queries to OCSP responders.
[-ocsp-max-response-age <integer_or_unlimited>]
- Maximum Allowable Age for OCSP Responses (secs)-
Filters the display of SSL configuration according to the maximum allowable age (freshness) in seconds for the OCSP responses.
[-ocsp-max-response-time-skew <[<integer>d][<integer>h][<integer>m][<integer>s]>]
- Maximum Allowable Time Skew for OCSP Response Validation-
Filters the display of SSL configuration according to the maximum allowable time difference for OCSP responses (when validating their ThisUpdate and NextUpdate fields).
[-ocsp-use-request-nonce {true|false}]
- Use a NONCE within OCSP Queries-
Filters the display of SSL configuration by specifying whether the queries to the OCSP responders should contain a NONCE or not.
A NONCE is a unique identifier included in each OCSP request or OCSP response to prevent a replay attack.
Examples
The following example displays the configured certificates for Vservers.
cluster1::security ssl> show Serial Server Client Vserver Number Common Name Enabled Enabled --------- ------ --------------------------------------- ------- ------- cluster1 516C3CB3 cluster1.company.com true true vs0 516816D4 vs0.company.com true false 2 entries were displayed.