[Group Group1 Menu] name - Set descriptive group name type - Set group type chainmod - Set chaining mode default - Set certificate to use for clients with no SNI support add - Add certificate to the group rem - Remove certificate from the group del - Delete certificate group cur - Display current certificate group configuration |
Command Syntax and Usage | |
---|---|
name | |
An optional descriptive name of the group in addition to the group ID. Values: 0 – 31 character | |
type srvrcert|trustca|intermca | |
The certificate group type. All certificates in the group must be from the same type. Values: ![]() The Server Certificate group type is used for client side SSL processing when multiple domains are served by the same virtual service using the Server Name Indication (SNI) feature (also known as Virtual Hosting). The certificate and key pairs for each of the HTTPS sites must be available in the certificate repository and associated to the virtual service as a group of server certificate. (There can be no relation between these certificates.) ![]() ![]() Intermediate CA certificates should be used when the CA providing the virtual service's server certificate is not directly trusted by the SSL client's trusted certificate store. The Intermediate CA certificate group is used to form the chain of trust between the Certificate Authority (CA) that signed the certificate and the CA that is already trusted by the end-user, allowing the end user to verify the validity of the certificates presented, even when the signing CA of that certificate is unknown. To create the intermediate CA chain, each certificate should be imported individually, and then associated to an intermediate CA group. During the Apply, Alteon performs a chain validation to make sure that the CA certificate chain is valid. If the chain is not valid, the apply fails. (CA certificates of different CA chains cannot be imported into the same intermediate CA group, because they do not form a valid chain.) Default: srvcert Note: Whenever no SNI is sent by the client in the SSL Hello, use the default certificate defined in the certificates group and return it to the client. In this case, no matter whether or not there is an SNI in the SSL Hello from the client, the default server certificate is returned to the client. If no default certificate is available, the connection fails. | |
chainmod | |
Sets the certificate chaining mode, whether a specified name (default) or the certificate key ID. Valid values: keyid, name | |
default | |
Sets the certificate to use for clients with no SNI support. Use this option for TLS SNI configuration. It is only applicable for groups of type srvrcert. Note: Using SNI configuration with default certificate in the certificate group, after upgrade to 30.0, the configurations will move to diff if the default certificate is not added as part of the certificate group. As a workaround, before the upgrade to 30.0, set the default certificate to be part of the certificate group. | |
add | |
Adds a certificate to the group. Maximum number of certificates: 256 | |
rem | |
Removes a certificate from the group. | |
del | |
Deletes a certificate group. | |
cur | |
Displays the current certificate group settings. |