8.13. TLS Command Reference

This command configures TLS parameters.

This command configures TLS certificate profile information. The certificate profile contains the certificates that are sent to the TLS peer (server or client) to authenticate itself. It is mandatory for the TLS server to send this information. The TLS client may optionally send this information upon request from the TLS server.

The no form of the command deletes the specified TLS certificate profile.

This command configures an entry for the TLS certificate profile. A certificate profile may have up to eight entries. Currently, TLS uses the entry with the smallest ID number when responding to server requests.

The no form of the command deletes the specified entry.

This command specifies the file name of an imported certificate for the cert-profile entry.

The no form of the command removes the certificate.

This command specifies the file name of an imported key for the cert-profile entry.

The no form of the command removes the key.

This command enables the sending of certificate authority (CA) certificates, and enters the context to configure send-chain information.

By default, the system only sends the TLS server certificate or TLS client certificate specified by the cert command. If CA certificates are to be sent using send-chain, they must be in the chain of certificates specified by the config>system>security>pki>ca-profile command. The specification of the send-chain is not necessary for a working TLS profile if the TLS peer has the CA certificate used to sign the server or client certificate in its own trust anchor.

For example, given a TLS client running on SR OS, the ROOT CA certificate resides on the TLS server, but the subsequent SUB-CA certificate needed to complete the chain resides within SR OS. The send-chain command allows these SUB-CA certificates to be sent from SR OS to the peer to be authenticated using the ROOT CA certificate that resides on the peer.

The no form of the command disables the send-chain.

This command enables a certificate authority (CA) certificate in the specified CA profile to be sent to the peer. Up to seven configurations of this command are permitted in the same entry.

The no form of the command disables the transmission of a CA certificate from the specified CA profile.

This command disables the certificate profile. When the certificate profile is disabled, it will not be sent to the TLS server.

The no form of the command enables the certificate profile and allows it to be sent to the TLS server.

This command creates a cipher list that the client sends to the server in the client Hello message. It is a list of ciphers that are supported and preferred by the SR OS to be used in the TLS session. The server matches this list against the server cipher list. The most preferred cipher found in both lists is chosen.

This command configures the cipher suite to be negotiated by the server and client.

This command configures the TLS client profile to be assigned to applications for encryption.

This command assigns the cipher list to be used by the TLS client profile for negotiation in the client Hello message.

This command administratively enables or disables the TLS profile. If the TLS profile is shut down, the TLS operational status will be down. Therefore, if the TLS profile is shut down, any application using TLS should not attempt to send any PDUs.

This command assigns the trust anchor used by this TLS profile to authenticate the server or client.

The no form of the command removes the configured trust anchor profile.

This command creates the cipher list that is compared against cipher lists sent by the client to the server in the client hello message. The list contains all ciphers that are supported and desired by SR OS for use in the TLS session. The first common cipher found in both the server and client cipher lists will be chosen. As such, the most desired ciphers should be added at the top of the list.

The no form of the command removes the cipher list.

This command creates a TLS server profile. This profile can be used by applications that support TLS for encryption. The applications should not send any PDUs until the TLS handshake has been successful.

The no form of the command removes the TLS server profile.

This command enters the context to configure client authentication parameters.

This command assigns a TLS certificate profile to be used by the TLS client profile. This certificate is sent to the server for authentication of the client and public key.

The no form of the command removes the TLS certificate profile assignment.

This command assigns a TLS certificate profile to be used by the TLS server profile. This certificate is sent to the client for authentication of the server and public key.

The no form of the command removes the TLS certificate profile assignment.

This command assigns a cipher list to be used by the TLS server profile. This cipher list is used to find matching ciphers with the cipher list that is received from the client.

The no form of the command removes the cipher list.

This command configures the timed interval after which the server is triggered to send a Hello request message to all clients and force a renegotiation of the symmetric encryption key. When an interval of 0 is configured, the server will never send a hello request message.

This command configures a trust anchor profile to be used in the TLS profile. The trust anchor is used for authentication of the server certificate.

This command configures a trust anchor with a CA profile used by the TLS profile. Up to eight CA profiles can be configured under the trust anchor. TLS will read the CA profiles one by one to try to authenticate the server certificate.

This command adds or removes an LDAP server.

This command assigns a TLS profile to the LDAP application. When a TLS profile is assigned, the LDAP application will send encrypted PDUs from the client to the LDAP server. If TLS is operationally down, the LDAP application should not send any PDUs.

This command manually reloads the certificate or key cache.