Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Documentation Search

    scio ssl


    scio ssl option argument


    Manages SSL server keys and certificate authorities (CA) used by the IDP Series device to inspect SSL traffic. Also manages the whitelist of destination servers you want to exempt from decryption and IDP processing.


    Table 1 describes scio ssl options and arguments and provides examples of command syntax.

    Table 1: Command Reference: scio ssl


    Usage and Examples

    list all

    Lists all stored SSL keys. Each IDP Series device can store 100 server private keys and 100 servers per key.

    [root@defaulthost admin]# scio ssl list all
    [root@defaulthost admin]#

    list key key-id

    Lists all servers associated with a particular key.

    [root@defaulthost admin]# scio ssl list key Key-1
    [root@defaulthost admin]#

    add key key-path [password password-string] [server server-ip]

    Adds a key with an optional password and an associated server.

    Use SCP or FTP to copy your SSL server private key file to the IDP Series device. The IDP Series device does not run an FTP server, so you have to initiate the FTP session from the IDP Series device.

    Keys must be based on RSA and be in PEM format. We have verified support for the following RSA private key lengths: 1024 bits, 2048 bits, 3072 bits, and 4096 bits.

    [root@defaulthost admin]# scio ssl add key /tmp/server.key password P@ss-Strong! server
    [root@defaulthost admin]#

    add server server-ip key key-id

    Associates the specified server with the specified key.

    [root@defaulthost admin]# scio ssl add server key server.key
    [root@defaulthost admin]#

    delete all

    Clears the SSL keystore.

    [root@defaulthost admin]# scio ssl delete all
    [root@defaulthost admin]#

    delete key key-id [server server-ip ]

    Deletes a particular SSL key from the SSL keystore. To delete a key-server association but not the key, use the server option.

    [root@defaulthost admin]# scio ssl delete key server.key server
    [root@defaulthost admin]#

    ca {create country-code state locality organization organization-unit common-name e-mail [nbits] | delete | export | show}

    Use these options to configure the CA used by the SSL forward proxy feature.

    Command arguments correspond with the values you want to set for the CA:

    • country-code–A two-letter code. This is the C value in the certificate.
    • state–A string. This is the ST value in the certificate.
    • locality–A string. This is the L value in the certificate.
    • organization–A string. This is the O value in the certificate.
    • organization-unit–A string. This is the OU value in the certificate.
    • common-name–A string. This is the CN value in the certificate.
    • e-mail–An e-mail address. This should be an administrative e-mail address for the issuer.
    • nbits is the RSA private key length. We have verified support for the following RSA private key lengths: 1024 bits, 2048 bits, 3072 bits, and 4096 bits. If you do not specify this option, the key length defaults to 1024 bits.

    Note: Enclose strings that are phrases in single quotation marks.

    The following example creates a root self-signed CA used by the SSL forward proxy feature:

    [root@defaulthost admin]# scio ssl ca create US CA Sunnyvale 'Juniper Networks Inc.' 'SSL Inspection policy' 'Juniper IT Services' '' 1024

    The following example displays the CA settings:

    [root@defaulthost admin]# scio ssl ca show
    subject= /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks Inc./OU=SSL Inspection
    policy/CN=Juniper IT Services/
    issuer= /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks Inc./OU=SSL Inspection
    policy/CN=Juniper IT Services/
    notBefore=Jun 25 22:13:23 2009 GMT
    notAfter=Jun 23 22:13:23 2019 GMT

    The following example prints to the screen the CA in PEM format. You can copy this to a file and then import this CA into SSL clients, enabling them to validate and trust certificates signed by the IDP Series device:

    [root@defaulthost admin]# scio ssl ca export
    -----END CERTIFICATE-----

    Deleting a CA effectively turns off the SSL forward proxy feature. The following example deletes the CA:

    [root@defaulthost admin]# scio ssl ca delete
    [root@defaulthost admin]#

    whitelist {import filepathname | export }

    Imports or exports a whitelist file. A whitelist file is a list of IP addresses and domain names for destination servers for which traffic should not be inspected. The file must be reachable by the filepathname you specify. We recommend you store the file in the IDP Series device /tmp directory.

    Traffic that matches a whitelist entry is passed through (not decrypted or inspected).

    The following example shows the format of a whitelist file:

    Each line in the whitelist file specifies the IP address or domain name for a destination server. To whitelist multiple sites with one entry, you can use an IP prefix to match address blocks and a domain suffix to include all subdomains.

    The domain name in your whitelist should match the common name entry in the certificate presented by the destination server. For example, suppose the certificate for the E-Trade HTTPS server contains the following subject:

    C=US, ST=Georgia, L=Alpharetta, O=ETRADE FINANCIAL CORPORATION, OU=Global Information Security,

    You can whitelist this site by adding either or the domain suffix to your whitelist file.

    The following example shows the syntax for the import option.

    [root@defaulthost admin]# scio ssl whitelist import /tmp/whitelist.txt
    [root@defaulthost admin]#

    Note: To update the active whitelist, import an updated whitelist file. To clear the whitelist, import a file that contains only one empty line.

    The following example shows the syntax for the export option. The export option prints the active whitelist to the screen.

    [root@defaulthost admin]# scio ssl whitelist export

    Published: 2011-02-08