Command Line Interface Reference Guide > The SLB Configuration Menu
/cfg/slb/ssl/certs/group
Certificate Group Menu
Use this menu to configure Trusted CA certificate and/or Intermediate CA certificate groups.
For more information on associating a Trusted CA certificate, or group of certificates, to a client authentication policy, see /cfg/slb/ssl/authpol Authentication Policy Menu.
For more information on associating an Intermediate CA certificate, or group of certificates, to an SSL policy, see /cfg/slb/ssl/sslpol SSL Policy Menu.
Note: This menu is available also through a non-secure connection.
 
[Group Group1 Menu]
name - Set descriptive group name
type - Set group type
chainmod - Set chaining mode
default - Set certificate to use for clients with no SNI support
add - Add certificate to the group
rem - Remove certificate from the group
del - Delete certificate group
cur - Display current certificate group configuration
 
Certificate Group Menu 
Command Syntax and Usage
name
 
An optional descriptive name of the group in addition to the group ID.
Values: 0 – 31 character
type srvrcert|trustca|intermca
 
The certificate group type. All certificates in the group must be from the same type.
Values:
*srvrcert — The group that contains a list of server certificates.
The Server Certificate group type is used for client side SSL processing when multiple domains are served by the same virtual service using the Server Name Indication (SNI) feature (also known as Virtual Hosting). The certificate and key pairs for each of the HTTPS sites must be available in the certificate repository and associated to the virtual service as a group of server certificate. (There can be no relation between these certificates.)
*trustca — The group that contains a list of trusted certificate authiorities. SSL client authentication is used when there is a need to confirm a client's identity as part of the SSL handshake process. The client's certificate can be checked if it was issued by any Certificate Authority (CA) that is defined in the Trust CA certificate group. There is no correlation between the certificates in the Trust CA certificate group (that is, there is no issuer-subject relationship between them) and no chain should be formed from them. Each certificate is individual.
*intermca — The group that contains a list of intermediate CA certificates.
Intermediate CA certificates should be used when the CA providing the virtual service's server certificate is not directly trusted by the SSL client's trusted certificate store. The Intermediate CA certificate group is used to form the chain of trust between the Certificate Authority (CA) that signed the certificate and the CA that is already trusted by the end-user, allowing the end user to verify the validity of the certificates presented, even when the signing CA of that certificate is unknown. To create the intermediate CA chain, each certificate should be imported individually, and then associated to an intermediate CA group. During the Apply, Alteon performs a chain validation to make sure that the CA certificate chain is valid. If the chain is not valid, the apply fails. (CA certificates of different CA chains cannot be imported into the same intermediate CA group, because they do not form a valid chain.)
Default: srvcert
Note: Whenever no SNI is sent by the client in the SSL Hello, use the default certificate defined in the certificates group and return it to the client. In this case, no matter whether or not there is an SNI in the SSL Hello from the client, the default server certificate is returned to the client. If no default certificate is available, the connection fails.
chainmod
 
Sets the certificate chaining mode, whether a specified name (default) or the certificate key ID.
Valid values: keyid, name
default
 
Sets the certificate to use for clients with no SNI support.
Use this option for TLS SNI configuration. It is only applicable for groups of type srvrcert.
Note: Using SNI configuration with default certificate in the certificate group, after upgrade to 30.0, the configurations will move to diff if the default certificate is not added as part of the certificate group. As a workaround, before the upgrade to 30.0, set the default certificate to be part of the certificate group.
add
 
Adds a certificate to the group.
Maximum number of certificates: 256
rem
 
Removes a certificate from the group.
del
 
Deletes a certificate group.
cur
 
Displays the current certificate group settings.