security ssl modify
Modify the SSL configuration for HTTP servers
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
This command modifies the configuration of encrypted HTTP (SSL) for Vservers in the cluster. Depending on the requirements of the individual node's or cluster's web services (displayed by the
vserver services web show command), this encryption might or might not be used. If the Vserver does not have a certificate associated with it, SSL will not be available.
Parameters
-vserver <vserver name> - Vserver
Identifies a Vserver for hosting SSL-encrypted web services.
[-ca <text>] - Server Certificate Issuing CA
Identifies a Certificate Authority (CA) of a certificate to be associated with the instance of a given Vserver. If this parameter, along with serial, is omitted during modification, a self-signed SSL certificate can be optionally generated for that Vserver.
[-serial <text>] - Server Certificate Serial Number
Identifies a serial number of a certificate to be associated with the instance of a given Vserver. If this parameter, along with ca, is omitted during modification, a self-signed SSL certificate can be optionally generated for that Vserver.
[-common-name <FQDN or Custom Common Name>] - Server Certificate Common Name
Identifies the common name (CN) of a certificate to be associated with the instance of a given Vserver. This parameter becomes optional if serial and ca are specified. You can use the
security certificate create and
security certificate install commands to add new certificates to Vservers.
Note:
The use of self-signed SSL certificates exposes users to man-in-the-middle security attacks. Where possible, obtain a certificate that is signed by a reputable certificate authority (CA) and use the
security certificate install command to configure it before enabling SSL on a Vserver.
[-server-enabled {true|false}] - SSL Server Authentication Enabled
Defines the working condition of SSL server authentication in an instance of the Vserver. Any Vserver with a valid certificate of type server is server-enabled.
[-client-enabled {true|false}] - SSL Client Authentication Enabled
Defines the working condition of SSL client authentication in an instance of the Vserver. Any Vserver with a valid certificate of type client-ca is client-enabled. It can only be enabled if server-enabled is true.
Examples
The following example enables SSL server authentication for a Vserver named vs0 with a certificate that has ca as www.example.com and serial as 4F4EB629.
cluster1::> security ssl modify -vserver vs0 -ca www.example.com -serial 4F4EB629 -server-enabled true
The following example disables SSL server authentication for a Vserver name vs0.
cluster1::> security ssl modify -vserver vs0 -server-enabled false
The following example enables SSL client authentication for a Vserver named vs0.
cluster1::> security ssl modify -vserver vs0 -client-enabled true
The following example disables SSL client authentication for a Vserver named vs0.
cluster1::> security ssl modify -vserver vs0 -client-enabled false
