Home > Configuration > SSL

Use this method to creates a new SSL action. An SSL action defines SSL settings that you can apply to the selected requests. You associate an action with one or more policies. Data in client connection requests or responses is compared to a rule (expression) specified in the policy, and the action is applied to connections that match the rule.

Use this method to adds a cacertbundle. After it is bound to a vserver/service/servicegroup, it is used for certificate authentication.

Use this method to creates a new CA certificate group.

Use this method to this method is used to form a SSL certificate chain in one shot. For a given CertKey the system will scan all the certificates present in the appliance and then form the appropriate certificate chain automatically.

Use this method to adds a certificate-key pair to memory. After it is bound to a virtual server or service, it is used for processing SSL transactions.
In a high-availability configuration, the path to the certificate and the optional private key must be the same on the primary and the secondary appliance. For a server certificate, a private key is required.

Use this method to adds a certificate-key bundle. After it is bound to a virtual server, it is used for processing SSL transactions.

Use this method to creates a user-defined cipher group, which you can bind to an SSL virtual server instead of binding ciphers individually. Although you cannot modify a built-in cipher group, you can add built-in cipher groups as well as individual ciphers to a user-defined cipher group.

Use this method to adds a Certificate Revocation List (CRL). A CRL identifies invalid certificates by serial number and issuer. In a high availability configuration, the CRL must be in the same location on the primary and secondary nodes.

Use this method to create a new DTLS profile on the Citrix ADC.

Use this method to add an echConfig with supported cipher, hpkekey, public name, configid and version.

Use this method to add HPKE Key.

Use this method to add HSM Key.

Use this method to add SSL logprofile for logging SSL events.

Use this method to adds an OCSP responder. An OCSP responder identifies the OCSP server that validates a certificate. Citrix ADCs support OCSP as defined in RFC 2560.

Use this method to adds an SSL policy. An SSL policy evaluates incoming traffic and applies a predefined action to requests that match a rule (expression). You have to configure the actions before creating the policies, so that you can specify an action when you create a policy.

Use this method to creates an SSL policy label. An SSL policy label can be a control label or a data label.

Use this method to add a new SSL profile on the Citrix ADC

Use this method to applies the specified CA certificate bundle and the device starts using the applied CA bundle to validate the server certificate. Use 'apply ssl certBundle DEFAULT' to restore the default CA certificate bundle.

Use this method to bind certkey to ssl caCertGroup.

Use this method to bind ocspresponder to ssl certKey.

Use this method to bind servicegroup to ssl certKey.

Use this method to bind service to ssl certKey.

Use this method to bind vserver to ssl certKey.

Use this method to bind ciphergroup to ssl cipher.

Use this method to bind cipher to ssl cipher.

Use this method to bind cipherpriority to ssl cipher.

Use this method to bind servicegroup to ssl cipher.

Use this method to bind service to ssl cipher.

Use this method to bind vserver to ssl cipher.

Use this method to bind policy to ssl global.

Use this method to bind policy to ssl policylabel.

Use this method to bind certkey to ssl profile.

Use this method to bind cipher to ssl profile.

Use this method to bind cipherpriority to ssl profile.

Use this method to bind ecccurve to ssl profile.

Use this method to bind echconfig to ssl profile.

Use this method to bind sslicacertkey to ssl profile.

Use this method to bind cacertbundle to ssl service.

Use this method to bind certkey to ssl service.

Use this method to bind cipher to ssl service.

Use this method to bind ecccurve to ssl service.

Use this method to bind policy to ssl service.

Use this method to bind cacertbundle to ssl serviceGroup.

Use this method to bind certkey to ssl serviceGroup.

Use this method to bind cipher to ssl serviceGroup.

Use this method to bind ecccurve to ssl serviceGroup.

Use this method to bind cacertbundle to ssl vserver.

Use this method to bind certkeybundle to ssl vserver.

Use this method to bind certkey to ssl vserver.

Use this method to bind cipher to ssl vserver.

Use this method to bind ecccurve to ssl vserver.

Use this method to bind policy to ssl vserver.

Use this method to clear cached ocspStapling response in certkey.

Use this method to convert legacy profile configuration to enhanced profile configuration. Reads ns.conf and generates a batch file named sslprofile_cmds.txt which can be batched to netscaler

Use this method to converts the end-user certificate from PEM encoding format to PKCS#12 format. This certificate can then be distributed and installed in browsers as client certificates.

Use this method to convert a PEM or DER format key file to PKCS#8 format before importing it into the FIPS appliance.

Use this method to generates a signed X509 Certificate.

Use this method to generates a new Certificate Signing Request (CSR). A CSR is a collection of information including the domain name, company details, and the private key to be used to create the certificate. Send the CSR to a Certificate Authority (CA) to obtain an X509 certificate for the user domain (web site).

Use this method to revokes a certificate, or list of certificates, or generates a CRL for the list of revoked certificates.

Use this method to generates a Diffie-Hellman (DH) key.

Use this method to generates an ECDSA key.

Use this method to generates a FIPS key within the Hardware Security Module (HSM) of the FIPS card.

Use this method to generates an RSA key.

Use this method to generates a wrap key.

Use this method to enable the source FIPS appliance to participate in a secure exchange of keys with the target (secondary) FIPS appliance.

Use this method to enables secure transfer of FIPS keys in a high availability setup from the primary appliance to the secondary appliance.

Use this method to exports a certificate bundle from one appliance to another for backup or editing purpose.

Use this method to exports a FIPS key from one appliance to another or backs up a FIPS key in a secure manner.
The exported key is secured by using a strong asymmetric key encryption method.

Use this method to flushes the Dynamic Client Certificates from cache.

Use this method to delete the cached OCSP status of peer certificates obtained during the SSL handshake.

Use this method to get information about all the SSL actions configured on the appliance, or displays detailed information about the specified SSL action.

Use this method to get information about all configured cacertbundle's on the appliance, or displays detailed information about the specified CA certbundle.

Use this method to get information about either all CA certificate groups or the specified CA certificate group.

Use this method to get a list of all the imported certificate bundle objects on the Citrix ADC.

Use this method to get all the certificates attached to this particular certificate.

Use this method to get a list of all the imported certificate file objects on the Citrix ADC.

Use this method to get information about all the linked certificate-key pairs on the appliance.

Use this method to get information about all the certificate-key pairs configured on the appliance, or displays detailed information about the specified certificate-key pair.

Use this method to get information about all configured certificate-key bundle's on the appliance, or displays detailed information about the specified certificate-key bundle.

Use this method to get information about all the linked certificate-key pairs on the appliance.

Use this method to get information about all the cipher groups defined on the appliance, or displays detailed information about the specified cipher group.

Use this method to get information about all the cipher suites configured on the appliance, or displays detailed information about the specified cipher-suite. A cipher suite comprises a protocol and the following algorithms: key exchange (Kx), authentication (Au), encryption (Enc), and message authentication code (Mac).

Use this method to get information about all the CRLs configured on the appliance, or displays detailed information about the specified CRL.

Use this method to get a list of all the imported CRL file objects on the Citrix ADC.

Use this method to get a list of all the imported DH file objects on the Citrix ADC.

Use this method to get all the configured DTLS profiles in the system. If a name is specified, then only that profile is shown.

Use this method to get lists of all the ECHCONFIG added on the Citrix ADC.

Use this method to get the information on the FIPS card.

Use this method to get information about all the FIPS keys configured on the appliance, or displays detailed information about the specified FIPS key.

Use this method to get globally bound SSL policies.

Use this method to get lists of all the HPKE Keys Added on the Citrix ADC.

Use this method to get lists of all the HSM Keys Added on the Citrix ADC.

Use this method to get a list of all the imported key file objects on the Citrix ADC.

Use this method to get all the configured SSL log profiles in the system. If a name is specified, then only that profile is shown.

Use this method to get information about all the OCSP responders configured on the appliance, or displays detailed information about the specified OCSP responder.

Use this method to get information about advanced SSL parameters.

Use this method to get information about all the SSL policies configured on the appliance, or displays detailed information about the specified SSL policy.

Use this method to get information about all the SSL policy labels, or displays detailed information about the specified policy label.

Use this method to get all the configured SSL profiles in the system. If a name is specified, then only that profile is shown.

Use this method to get information about SSL-specific configuration information for all SSL services, or displays detailed information about the specified SSL service.

Use this method to get information about SSL-specific configuration for all SSL service groups, or displays detailed information about the specified SSL service group.

Use this method to get SSL specific configuration information for all SSL virtual servers, or displays detailed information for the specified SSL virtual server.

Use this method to get the wrap keys.

Use this method to imports a certificate bundle to the Citrix ADC, assigns it a name, and stores it.

Use this method to imports a certificate file to the Citrix ADC, assigns it a name, and stores it in the /nsconfig/ssl/certfile folder. The folder is created if it does not exist.

Use this method to imports a CRL file to the Citrix ADC, assigns it a name, and stores it in the /var/netscaler/ssl/crlfile folder. The folder is created if it does not exist.

Use this method to imports a DH file to the Citrix ADC, assigns it a name, and stores it in the /nsconfig/ssl/dhfile folder. The folder is created if it does not exist.

Use this method to imports a FIPS key into the Hardware Security Module (HSM) of the FIPS card. Can import an existing FIPS key, or can import, as a FIPS key, an external private key, such as a key that was created on an Apache or IIS external Web server.

Use this method to imports a key file to the Citrix ADC, assigns it a name, and stores it in the /nsconfig/ssl/keyfile folder. The folder is created if it does not exist.

Use this method to initialize the source FIPS appliance for participating in a secure exchange of keys with the target (secondary) FIPS appliance.

Use this method to initialize the target (secondary) FIPS appliance for participating in a secure exchange of keys with the primary FIPS appliance.

Use this method to links a certificate-key pair to its Certificate Authority (CA) certificate-key pair.

Use this method to resets the FIPS card to the default password for Security Officer and User accounts. This method can be used only if the FIPS card has been locked because of three or more unsuccessful login attempts.

Use this method to removes the specified SSL action.

Use this method to removes the specified CA certbundle.

Use this method to deletes the specified CA certificate group.

Use this method to deletes the specified certificate bundle.

Use this method to deletes the specified certificate file.

Use this method to removes all the certificate-key pairs, or the specified certificate-key pair, from the appliance. The certificate-key pair is removed only if it is not referenced by any other object. The reference count is updated when the certificate-key pair is bound to an SSL virtual server or linked to another certificate-key pair.

Use this method to removes the specified certificate-key bundle. The certificate-key bundle is removed only if it is not referenced by any SSL virtual server.

Use this method to removes a user-defined cipher group from the appliance.

Use this method to removes the specified CRL from the appliance.

Use this method to deletes the specified CRL file.

Use this method to deletes the specified DH file.

Use this method to remove a DTLS profile on the Citrix ADC

Use this method to removes the specified HPKE key

Use this method to removes all the FIPS keys, or the specified FIPS key, from the appliance.

Use this method to removes the specified HPKE key

Use this method to removes the specified HSM key, from the HSM Appliance.

Use this method to deletes the specified key file.

Use this method to remove a SSL logprofile on the Citrix ADC

Use this method to removes the specified OCSP responder from the appliance.

Use this method to removes an SSL policy.

Use this method to removes an SSL policy label.

Use this method to remove a SSL profile on the Citrix ADC

Use this method to removes all the wrap keys, or the specified wrap key, from the appliance.

Use this method to set this option is used to automatically delete certificate/key files from physical device when the added certkey is removed. When deleteCertKeyFilesOnRemoval option is used at rm certkey method, it overwrites the deleteCertKeyFilesOnRemoval setting used at add/set certkey method

Use this method to set issue an alert when the certificate is about to expire.

Use this method to set cipher name.

Use this method to set base distinguished name (DN), which is used in an LDAP search to search for a CRL. Citrix recommends searching for the Base DN instead of the Issuer Name from the CA certificate, because the Issuer Name field might not exactly match the LDAP directory structure's DN.

Use this method to set set the LDAP-based CRL retrieval mode to binary.

Use this method to set bind distinguished name (DN) to be used to access the CRL object in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.

Use this method to set cA certificate that has issued the CRL. Required if CRL Auto Refresh is selected. Install the CA certificate on the appliance before adding the CRL.

Use this method to set cRL refresh interval. Use the NONE setting to unset this parameter.

Use this method to set method for CRL refresh. If LDAP is selected, specify the method, CA certificate, base DN, port, and LDAP server name. If HTTP is selected, specify the CA certificate, method, URL, and port. Cannot be changed after a CRL is added.

Use this method to set password to access the CRL in the LDAP repository if access to the LDAP repository is restricted or anonymous access is not allowed.

Use this method to set port for the LDAP server.

Use this method to set set CRL auto refresh.

Use this method to set extent of the search operation on the LDAP server. Available settings function as follows:
One - One level below Base DN.
Base - Exactly the same level as Base DN.

Use this method to set iP address of the LDAP server from which to fetch the CRLs.

Use this method to set time, in hours (1-24) and minutes (1-60), at which to refresh the CRL.

Use this method to set send a Hello Verify request to validate the client.

Use this method to set initial time out value to retransmit the last flight sent from the NetScaler.

Use this method to set maximum number of bad MAC errors to ignore for a connection prior disconnect. Disabling parameter terminateSession terminates session immediately when bad MAC is detected in the connection.

Use this method to set maximum number of datagrams that can be queued at DTLS layer for processing

Use this method to set maximum number of packets to reassemble. This value helps protect against a fragmented packet attack.

Use this method to set maximum size of records that can be sent if PMTU is disabled.

Use this method to set wait for the specified time, in seconds, before resending the request.

Use this method to set source for the maximum record size value. If ENABLED, the value is taken from the PMTU table. If DISABLED, the value is taken from the profile.

Use this method to set terminate the session if the message authentication code (MAC) of the client and server do not match.

Use this method to set label to identify the Hardware Security Module (HSM).

Use this method to set fIPS initialization level. The appliance currently supports Level-2 (FIPS 140-2).
This is mandatory parameter.

Use this method to set old password for the security officer.
This is mandatory parameter.

Use this method to set security officer password that will be in effect after you have configured the HSM.
This is mandatory parameter.

Use this method to set the Hardware Security Module's (HSM) User password.
This is mandatory parameter.

Use this method to set log all SSL ClAuth events.

Use this method to set log all SSL ClAuth error events.

Use this method to set log all SSL HS events.

Use this method to set log all SSL HS error events.

Use this method to set maximum time, in milliseconds, to wait to accumulate OCSP requests to batch. Does not apply if the Batching Depth is 1.

Use this method to set number of client certificates to batch together into one OCSP request. Batching avoids overloading the OCSP responder. A value of 1 signifies that each request is queried independently. For a value greater than 1, specify a timeout (batching delay) to avoid inordinately delaying the processing of a single certificate.

Use this method to set enable caching of responses. Caching of responses received from the OCSP responder enables faster responses to the clients and reduces the load on the OCSP responder.

Use this method to set timeout for caching the OCSP response. After the timeout, the Citrix ADC sends a fresh request to the OCSP responder for the certificate status. If a timeout is not specified, the timeout provided in the OCSP response applies.

Use this method to set hTTP method used to send ocsp request. POST is the default httpmethod. If request length is > 255, POST wil be used even if GET is set as httpMethod

Use this method to set include the complete client certificate in the OCSP request.

Use this method to set time, in milliseconds, to wait for an OCSP URL Resolution. When this time elapses, an error message appears or the transaction is forwarded, depending on the settings on the virtual server.

Use this method to set time, in seconds, for which the Citrix ADC waits before considering the response as invalid. The response is considered invalid if the Produced At time stamp in the OCSP response exceeds or precedes the current Citrix ADC clock time by the amount of time specified.

Use this method to set time, in milliseconds, to wait for an OCSP response. When this time elapses, an error message appears or the transaction is forwarded, depending on the settings on the virtual server. Includes Batching Delay time.

Use this method to set certificate-key pair that is used to sign OCSP requests. If this parameter is not set, the requests are not signed.

Use this method to set uRL of the OCSP responder.

Use this method to set enable the OCSP nonce extension, which is designed to prevent replay attacks.

Use this method to set maximum memory size to use for certificate revocation lists (CRLs). This parameter reserves memory for a CRL but sets a limit to the maximum memory that the CRLs loaded on the appliance can consume.

Use this method to set limit to the number of disabled SSL chips after which the ADC restarts. A value of zero implies that the ADC does not automatically restart.

Use this method to set global parameter used to enable default profile feature.

Use this method to set deny renegotiation in specified circumstances. Available settings function as follows:
* NO - Allow SSL renegotiation.
* FRONTEND_CLIENT - Deny secure and nonsecure SSL renegotiation initiated by the client.
* FRONTEND_CLIENTSERVER - Deny secure and nonsecure SSL renegotiation initiated by the client or the Citrix ADC during policy-based client authentication.
* ALL - Deny all secure and nonsecure SSL renegotiation.
* NONSECURE - Deny nonsecure SSL renegotiation. Allows only clients that support RFC 5746.

Use this method to set host header check for SNI enabled sessions. If this check is enabled and the HTTP request does not contain the host header for SNI enabled sessions(i.e vserver or profile bound to vserver has SNI enabled and 'Client Hello' arrived with SNI extension), the request is dropped.

Use this method to set maximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to Citrix ADC.

Use this method to set to support both cavium and coleto based platforms in cluster environment, this mode has to be enabled.

Use this method to set when this mode is enabled, system will use additional crypto hardware to accelerate symmetric crypto operations.

Use this method to set to insert space between lines in the certificate header of request

Use this method to set encoding method used to insert the subject or issuer's name in HTTP requests to servers.

Use this method to set determines whether or not additional checks are carried out during a TLS handshake when validating an X.509 certificate received from the peer.
Settings apply as follows:
YES - (1) During certificate verification, ignore the
Common Name field (inside the subject name) if
Subject Alternative Name X.509 extension is present
in the certificate for backend connection.
(2) Verify the Extended Key Usage X.509 extension
server/client leaf certificate received over the wire
is consistent with the peer's role.
(applicable for frontend and backend connections)
(3) Verify the Basic Constraint CA field set to TRUE
for non-leaf certificates. (applicable for frontend,
backend connections and CAs bound to the Citrix ADC.
NO - (1) Verify the Common Name field (inside the subject name)
irrespective of Subject Alternative Name X.509
extension.
(2) Ignore the Extended Key Usage X.509 extension
for server/client leaf certificate.
(3) Do not verify the Basic Constraint CA true flag
for non-leaf certificates.

Use this method to set size, per packet engine, in megabytes, of the OCSP cache. A maximum of 10% of the packet engine memory can be assigned. Because the maximum allowed packet engine memory is 4GB, the maximum value that can be assigned to the OCSP cache is approximately 410 MB.

Use this method to set limit in percentage of capacity of the crypto operations queue beyond which new SSL connections are not accepted until the queue is reduced.

Use this method to set pUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings.

Use this method to set insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a value other than 0, the buffered records are forwarded on the basis of the value of the PUSH flag. Available settings function as follows:
0 - Auto (PUSH flag is not set.)
1 - Insert PUSH flag into every decrypted record.
2 -Insert PUSH flag into every encrypted record.
3 - Insert PUSH flag into every decrypted and encrypted record.

Use this method to set amount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources.

Use this method to set send an SSL Close-Notify message to the client at the end of a transaction.

Use this method to set signature Digest Algorithms that are supported by appliance. Default value is "ALL" and it will enable the following algorithms depending on the platform.
On VPX: ECDSA-SHA1 ECDSA-SHA224 ECDSA-SHA256 ECDSA-SHA384 ECDSA-SHA512 RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512 DSA-SHA1 DSA-SHA224 DSA-SHA256 DSA-SHA384 DSA-SHA512
On MPX with Nitrox-III and coleto cards: RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512 ECDSA-SHA1 ECDSA-SHA224 ECDSA-SHA256 ECDSA-SHA384 ECDSA-SHA512
Others: RSA-SHA1 RSA-SHA224 RSA-SHA256 RSA-SHA384 RSA-SHA512.
Note:ALL doesnot include RSA-MD5 for any platform.

Use this method to set controls how the HTTP 'Host' header value is validated. These checks are performed only if the session is SNI enabled (i.e when vserver or profile bound to vserver has SNI enabled and 'Client Hello' arrived with SNI extension) and HTTP request contains 'Host' header.
Available settings function as follows:
CERT - Request is forwarded if the 'Host' value is covered
by the certificate used to establish this SSL session.
Note: 'CERT' matching mode cannot be applied in
TLS 1.3 connections established by resuming from a
previous TLS 1.3 session. On these connections, 'STRICT'
matching mode will be used instead.
STRICT - Request is forwarded only if value of 'Host' header
in HTTP is identical to the 'Server name' value passed
in 'Client Hello' of the SSL connection.
NO - No validation is performed on the HTTP 'Host'
header value.

Use this method to set citrix ADC CPU utilization threshold (in percentage) beyond which crypto operations are not done in software.
A value of zero implies that CPU is not utilized for doing crypto in software.

Use this method to set enable or disable dynamically learning and caching the learned information to make the subsequent interception or bypass decision. When enabled, NS does the lookup of this cached data to do early bypass.

Use this method to set specify the maximum memory that can be used for caching the learned data. This memory is used as a LRU cache so that the old entries gets replaced with new entry once the set memory limit is fully utilised. A value of 0 decides the limit automatically.

Use this method to set time, in milliseconds, after which encryption is triggered for transactions that are not tracked on the Citrix ADC because their length is not known. There can be a delay of up to 10ms from the specified timeout value before the packet is pushed into the queue.

Use this method to set enable strict CA certificate checks on the appliance.

Use this method to set name of the undefined built-in control action: CLIENTAUTH, NOCLIENTAUTH, NOOP, RESET, or DROP.

Use this method to set name of the undefined built-in data action: NOOP, RESET or DROP.

Use this method to set name of the built-in or user-defined action to perform on the request. Available built-in actions are NOOP, RESET, DROP, CLIENTAUTH, NOCLIENTAUTH, INTERCEPT AND BYPASS.

Use this method to set any comments associated with this policy.

Use this method to set expression, against which traffic is evaluated.

The following requirements apply only to the Citrix ADC CLI:
* If the expression includes one or more spaces, enclose the entire expression in double quotation marks.
* If the expression itself includes double quotation marks, escape the quotations by using the character.
* Alternatively, you can use single quotation marks to enclose the rule, in which case you do not have to escape the double quotation marks.

Use this method to set name of the action to be performed when the result of rule evaluation is undefined. Possible values for control policies: CLIENTAUTH, NOCLIENTAUTH, NOOP, RESET, DROP. Possible values for data policies: NOOP, RESET, DROP and BYPASS

Use this method to set when set to YES, attempt to use the TLS Extended Master Secret (EMS, as
described in RFC 7627) when negotiating TLS 1.0, TLS 1.1 and TLS 1.2
connection parameters. EMS must be supported by both the TLS client and server
in order to be enabled during a handshake. This setting applies to both
frontend and backend SSL profiles.

Use this method to set fIPS 140-3 certification requires all handshakes without EMS be blocked.
Such KDFs are allowed by default. This setting is to allow/disallow such legacy KDFs
when needed. This setting applies to both frontend and backend SSL profiles.

Use this method to set application protocol supported by the server and used in negotiation of the protocol with the client. Possible values are HTTP1.1, HTTP2 and NONE. Default value is NONE which implies application protocol is not enabled hence remain unknown to the TLS layer. This parameter is relevant only if SSL connection is handled by the virtual server of the type SSL_TCP.

Use this method to set the cipher group/alias/individual cipher configuration

Use this method to set state of Cipher Redirect. If this parameter is set to ENABLED, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a cipher mismatch between the virtual server or service and the client.
This parameter is not applicable when configuring a backend profile.

Use this method to set port on which clear-text data is sent by the appliance to the server. Do not specify this parameter for SSL offloading with end-to-end encryption.

Use this method to set state of client authentication. In service-based SSL offload, the service terminates the SSL handshake if the SSL client does not provide a valid certificate.
This parameter is not applicable when configuring a backend profile.

Use this method to set certficates bound on the VIP are used for validating the client cert. Certficates came along with client cert are not used for validating the client cert

Use this method to set name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server.

Use this method to set default domain name supported by the SSL virtual server. The parameter is effective, when zero touch certificate management is active for the SSL virtual server i.e. no manual SNI cert or default server cert is bound to the v-server. For SSL transactions, when SNI is not presented by the client, server-certificate corresponding to the default SNI, if available in the cert-store, is selected else connection is terminated.

Use this method to set deny renegotiation in specified circumstances. Available settings function as follows:
* NO - Allow SSL renegotiation.
* FRONTEND_CLIENT - Deny secure and nonsecure SSL renegotiation initiated by the client.
* FRONTEND_CLIENTSERVER - Deny secure and nonsecure SSL renegotiation initiated by the client or the Citrix ADC during policy-based client authentication.
* ALL - Deny all secure and nonsecure SSL renegotiation.
* NONSECURE - Deny nonsecure SSL renegotiation. Allows only clients that support RFC 5746.

Use this method to set state of Diffie-Hellman (DH) key exchange.
This parameter is not applicable when configuring a backend profile.

Use this method to set number of interactions, between the client and the Citrix ADC, after which the DH private-public pair is regenerated. A value of zero (0) specifies refresh every time.
This parameter is not applicable when configuring a backend profile. Allowed DH count values are 0 and >= 500.

Use this method to set whether or not the SSL Virtual Server will require a DHE key exchange to occur when a PSK is accepted during a TLS 1.3 resumption handshake.
A DHE key exchange ensures forward secrecy even in the event that ticket keys are compromised, at the expense of an additional round trip and resources required to carry out the DHE key exchange.
If disabled, a DHE key exchange will be performed when a PSK is accepted but only if requested by the client.
If enabled, the server will require a DHE key exchange when a PSK is accepted regardless of whether the client supports combined PSK-DHE key exchange. This setting only has an effect when resumption is enabled.

Use this method to set this option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.

Use this method to set host header check for SNI enabled sessions. If this check is enabled and the HTTP request does not contain the host header for SNI enabled sessions(i.e vserver or profile bound to vserver has SNI enabled and 'Client Hello' arrived with SNI extension), the request is dropped.

Use this method to set enable or disable Dynamic Client Certificate Generation for SSL sessions.

Use this method to set state of TLS 1.3 Encrypted Client Hello Support

Use this method to set maximum number of queued packets after which encryption is triggered. Use this setting for SSL transactions that send small packets from server to Citrix ADC.

Use this method to set state of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support only export ciphers to communicate with the secure server even if the server certificate does not support export clients. The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted. It is reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the appliance restarts.
This parameter is not applicable when configuring a backend profile.

Use this method to set state of HSTS protocol support for the SSL profile. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client

Use this method to set enable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests for subdomains.

Use this method to set encoding method used to insert the subject or issuer's name in HTTP requests to servers.

Use this method to set set the maximum time, in seconds, in the strict transport security (STS) header during which the client must send only HTTPS requests to the server

Use this method to set state of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values:
ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake.
DISABLED: The appliance does not check the status of the server certificate.

Use this method to set flag indicates the consent of the site owner to have their domain preloaded.

Use this method to set this option sets the life time of symm key used to generate session tickets issued by NS in secs

Use this method to set trigger encryption on the basis of the PUSH flag value. Available settings function as follows:
* ALWAYS - Any PUSH packet triggers encryption.
* IGNORE - Ignore PUSH packet for triggering encryption.
* MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers encryption.
* TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl parameter method or in the Change Advanced SSL Settings dialog box.

Use this method to set pUSH encryption trigger timeout value. The timeout value is applied only if you set the Push Encryption Trigger parameter to Timer in the SSL virtual server settings.

Use this method to set insert PUSH flag into decrypted, encrypted, or all records. If the PUSH flag is set to a value other than 0, the buffered records are forwarded on the basis of the value of the PUSH flag. Available settings function as follows:
0 - Auto (PUSH flag is not set.)
1 - Insert PUSH flag into every decrypted record.
2 -Insert PUSH flag into every encrypted record.
3 - Insert PUSH flag into every decrypted and encrypted record.

Use this method to set amount of data to collect before the data is pushed to the crypto hardware for encryption. For large downloads, a larger quantum size better utilizes the crypto resources.

Use this method to set state of the port rewrite while performing HTTPS redirect. If this parameter is set to ENABLED, and the URL from the server does not contain the standard port, the port is rewritten to the standard.

Use this method to set enable sending SSL Close-Notify at the end of a transaction.

Use this method to set state of server authentication support for the SSL Backend profile.

Use this method to set this option sets the life time of symm key used to generate session tickets issued by NS in secs

Use this method to set this option enables the use of session tickets, as per the RFC 5077

Use this method to set session ticket enc/dec key , admin can set it

Use this method to set this option enables the use of session tickets, as per the RFC 5077

Use this method to set this option sets the life time of session tickets issued by NS in secs

Use this method to set state of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.

Use this method to set this flag controls the processing of X509 certificate policies. If this option is Enabled, then the policy check in Client authentication will be skipped. This option can be used only when Client Authentication is Enabled and ClientCert is set to Mandatory

Use this method to set state of the Server Name Indication (SNI) feature on the virtual server and service-based offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.

Use this method to set controls how the HTTP 'Host' header value is validated. These checks are performed only if the session is SNI enabled (i.e when vserver or profile bound to vserver has SNI enabled and 'Client Hello' arrived with SNI extension) and HTTP request contains 'Host' header.
Available settings function as follows:
CERT - Request is forwarded if the 'Host' value is covered
by the certificate used to establish this SSL session.
Note: 'CERT' matching mode cannot be applied in
TLS 1.3 connections established by resuming from a
previous TLS 1.3 session. On these connections, 'STRICT'
matching mode will be used instead.
STRICT - Request is forwarded only if value of 'Host' header
in HTTP is identical to the 'Server name' value passed
in 'Client Hello' of the SSL connection.
NO - No validation is performed on the HTTP 'Host'
header value.

Use this method to set state of SSLv3 protocol support for the SSL profile.
Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.

Use this method to set when enabled, NetScaler will log the session ID and SNI name during SSL handshakes on both the external and internal interfaces.

Use this method to set maximum ssl session to be cached per dynamic origin server. A unique ssl session is created for each SNI received from the client on ClientHello and the matching session is used for server session reuse.

Use this method to set enable or disable transparent interception of SSL sessions.

Use this method to set enable or disable OCSP check for origin server certificate.

Use this method to set enable or disable triggering the client renegotiation when renegotiation request is received from the origin server.

Use this method to set the name of the ssllogprofile.

Use this method to set state of HTTPS redirects for the SSL service.
For an SSL session, if the client browser receives a redirect message, the browser tries to connect to the new location. However, the secure SSL session breaks if the object has moved from a secure site (https://) to an unsecure site (http://). Typically, a warning message appears on the screen, prompting the user to continue or disconnect.
If SSL Redirect is ENABLED, the redirect message is automatically converted from http:// to https:// and the SSL session does not break.
This parameter is not applicable when configuring a backend profile.

Use this method to set time, in milliseconds, after which encryption is triggered for transactions that are not tracked on the Citrix ADC because their length is not known. There can be a delay of up to 10ms from the specified timeout value before the packet is pushed into the queue.

Use this method to set enable strict CA certificate checks on the appliance.

Use this method to set parameter indicating to check whether peer entity certificate during TLS1.2 handshake is signed with one of signature-hash combination supported by Citrix ADC.

Use this method to set state of TLSv1.0 protocol support for the SSL profile.

Use this method to set state of TLSv1.1 protocol support for the SSL profile.

Use this method to set state of TLSv1.2 protocol support for the SSL profile.

Use this method to set state of TLSv1.3 protocol support for the SSL profile.

Use this method to set number of tickets the SSL Virtual Server will issue anytime TLS 1.3 is negotiated, ticket-based resumption is enabled, and either (1) a handshake completes or (2) post-handhsake client auth completes.
This value can be increased to enable clients to open multiple parallel connections using a fresh ticket for each connection.
No tickets are sent if resumption is disabled.

Use this method to set state of TLS 1.3 0-RTT early data support for the SSL Virtual Server. This setting only has an effect if resumption is enabled, as early data cannot be sent along with an initial handshake.
Early application data has significantly different security properties - in particular there is no guarantee that the data cannot be replayed.

Use this method to set state of Cipher Redirect. If this parameter is set to ENABLED, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a cipher mismatch between the virtual server or service and the client.
This parameter is not applicable when configuring a backend service.

Use this method to set state of client authentication. In service-based SSL offload, the service terminates the SSL handshake if the SSL client does not provide a valid certificate.
This parameter is not applicable when configuring a backend service.

Use this method to set name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server

Use this method to set state of Diffie-Hellman (DH) key exchange. This parameter is not applicable when configuring a backend service.

Use this method to set number of interactions, between the client and the Citrix ADC, after which the DH private-public pair is regenerated. A value of zero (0) specifies refresh every time. This parameter is not applicable when configuring a backend service. Allowed DH count values are 0 and >= 500.

Use this method to set this option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.

Use this method to set state of DTLSv1.0 protocol support for the SSL service.

Use this method to set state of DTLSv1.2 protocol support for the SSL service.

Use this method to set name of the DTLS profile that contains DTLS settings for the service.

Use this method to set state of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support only export ciphers to communicate with the secure server even if the server certificate does not support export clients. The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted. It is reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the appliance restarts.
This parameter is not applicable when configuring a backend service.

Use this method to set state of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values:
ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake.
DISABLED: The appliance does not check the status of the server certificate.

Use this method to set trigger encryption on the basis of the PUSH flag value. Available settings function as follows:
* ALWAYS - Any PUSH packet triggers encryption.
* IGNORE - Ignore PUSH packet for triggering encryption.
* MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers encryption.
* TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl parameter method or in the Change Advanced SSL Settings dialog box.

Use this method to set state of the port rewrite while performing HTTPS redirect. If this parameter is set to ENABLED, and the URL from the server does not contain the standard port, the port is rewritten to the standard.

Use this method to set enable sending SSL Close-Notify at the end of a transaction

Use this method to set state of server authentication support for the SSL service.

Use this method to set state of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.

Use this method to set state of the Server Name Indication (SNI) feature on the virtual server and service-based offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.

Use this method to set state of SSLv2 protocol support for the SSL service.
This parameter is not applicable when configuring a backend service.

Use this method to set state of SSLv3 protocol support for the SSL service.
Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.

Use this method to set this parameter is used to enable or disable the logging of additional information, such as the Session ID and SNI name, from SSL handshakes to the audit logs.

Use this method to set name of the SSL profile that contains SSL settings for the service.

Use this method to set state of HTTPS redirects for the SSL service.

For an SSL session, if the client browser receives a redirect message, the browser tries to connect to the new location. However, the secure SSL session breaks if the object has moved from a secure site (https://) to an unsecure site (http://). Typically, a warning message appears on the screen, prompting the user to continue or disconnect.
If SSL Redirect is ENABLED, the redirect message is automatically converted from http:// to https:// and the SSL session does not break.

This parameter is not applicable when configuring a backend service.

Use this method to set state of SSLv2 Redirect. If this parameter is set to ENABLED, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a protocol version mismatch between the virtual server or service and the client.
This parameter is not applicable when configuring a backend service.

Use this method to set parameter indicating to check whether peer's certificate during TLS1.2 handshake is signed with one of signature-hash combination supported by Citrix ADC

Use this method to set state of TLSv1.0 protocol support for the SSL service.

Use this method to set state of TLSv1.1 protocol support for the SSL service.

Use this method to set state of TLSv1.2 protocol support for the SSL service.

Use this method to set state of TLSv1.3 protocol support for the SSL service.

Use this method to set name to be checked against the CommonName (CN) field in the server certificate bound to the SSL server

Use this method to set state of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values:
ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake.
DISABLED: The appliance does not check the status of the server certificate.

Use this method to set enable sending SSL Close-Notify at the end of a transaction

Use this method to set state of server authentication support for the SSL service group.

Use this method to set state of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.

Use this method to set state of the Server Name Indication (SNI) feature on the service. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.

Use this method to set state of SSLv3 protocol support for the SSL service group.
Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.

Use this method to set this parameter is used to enable or disable the logging of additional information, such as the Session ID and SNI names, from SSL handshakes to the audit logs.

Use this method to set name of the SSL profile that contains SSL settings for the Service Group.

Use this method to set parameter indicating to check whether peer's certificate is signed with one of signature-hash combination supported by Citrix ADC

Use this method to set state of TLSv1.0 protocol support for the SSL service group.

Use this method to set state of TLSv1.1 protocol support for the SSL service group.

Use this method to set state of TLSv1.2 protocol support for the SSL service group.

Use this method to set state of TLSv1.3 protocol support for the SSL service group.

Use this method to set state of Cipher Redirect. If cipher redirect is enabled, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a cipher mismatch between the virtual server or service and the client.

Use this method to set port on which clear-text data is sent by the appliance to the server. Do not specify this parameter for SSL offloading with end-to-end encryption.

Use this method to set state of client authentication. If client authentication is enabled, the virtual server terminates the SSL handshake if the SSL client does not provide a valid certificate.

Use this method to set default domain name supported by the SSL virtual server. The parameter is effective, when zero touch certificate management is active for the SSL virtual server i.e. no manual SNI cert or default server cert is bound to the v-server.
For SSL transactions, when SNI is not presented by the client, server-certificate corresponding to the default SNI, if available in the cert-store, is selected else connection is terminated.

Use this method to set state of Diffie-Hellman (DH) key exchange.

Use this method to set number of interactions, between the client and the Citrix ADC, after which the DH private-public pair is regenerated. A value of zero (0) specifies refresh every time.

Use this method to set whether or not the SSL Virtual Server will require a DHE key exchange to occur when a PSK is accepted during a TLS 1.3 resumption handshake.
A DHE key exchange ensures forward secrecy even in the event that ticket keys are compromised, at the expense of an additional round trip and resources required to carry out the DHE key exchange.
If disabled, a DHE key exchange will be performed when a PSK is accepted but only if requested by the client.
If enabled, the server will require a DHE key exchange when a PSK is accepted regardless of whether the client supports combined PSK-DHE key exchange. This setting only has an effect when resumption is enabled.

Use this method to set this option enables the use of NIST recommended (NIST Special Publication 800-56A) bit size for private-key size. For example, for DH params of size 2048bit, the private-key size recommended is 224bits. This is rounded-up to 256bits.

Use this method to set state of DTLSv1.0 protocol support for the SSL Virtual Server.

Use this method to set state of DTLSv1.2 protocol support for the SSL Virtual Server.

Use this method to set name of the DTLS profile whose settings are to be applied to the virtual server.

Use this method to set state of Ephemeral RSA (eRSA) key exchange. Ephemeral RSA allows clients that support only export ciphers to communicate with the secure server even if the server certificate does not support export clients. The ephemeral RSA key is automatically generated when you bind an export cipher to an SSL or TCP-based SSL virtual server or service. When you remove the export cipher, the eRSA key is not deleted. It is reused at a later date when another export cipher is bound to an SSL or TCP-based SSL virtual server or service. The eRSA key is deleted when the appliance restarts.

Use this method to set state of HSTS protocol support for the SSL Virtual Server. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client

Use this method to set enable HSTS for subdomains. If set to Yes, a client must send only HTTPS requests for subdomains.

Use this method to set set the maximum time, in seconds, in the strict transport security (STS) header during which the client must send only HTTPS requests to the server

Use this method to set state of OCSP stapling support on the SSL virtual server. Supported only if the protocol used is higher than SSLv3. Possible values:
ENABLED: The appliance sends a request to the OCSP responder to check the status of the server certificate and caches the response for the specified time. If the response is valid at the time of SSL handshake with the client, the OCSP-based server certificate status is sent to the client during the handshake.
DISABLED: The appliance does not check the status of the server certificate.

Use this method to set flag indicates the consent of the site owner to have their domain preloaded.

Use this method to set trigger encryption on the basis of the PUSH flag value. Available settings function as follows:
* ALWAYS - Any PUSH packet triggers encryption.
* IGNORE - Ignore PUSH packet for triggering encryption.
* MERGE - For a consecutive sequence of PUSH packets, the last PUSH packet triggers encryption.
* TIMER - PUSH packet triggering encryption is delayed by the time defined in the set ssl parameter method or in the Change Advanced SSL Settings dialog box.

Use this method to set state of the port rewrite while performing HTTPS redirect. If this parameter is ENABLED and the URL from the server does not contain the standard port, the port is rewritten to the standard.

Use this method to set enable sending SSL Close-Notify at the end of a transaction

Use this method to set state of session reuse. Establishing the initial handshake requires CPU-intensive public key encryption operations. With the ENABLED setting, session key exchange is avoided for session resumption requests received from the client.

Use this method to set state of the Server Name Indication (SNI) feature on the virtual server and service-based offload. SNI helps to enable SSL encryption on multiple domains on a single virtual server or service if the domains are controlled by the same organization and share the same second-level domain name. For example, *.sports.net can be used to secure domains such as login.sports.net and help.sports.net.

Use this method to set state of SSLv2 protocol support for the SSL Virtual Server.

Use this method to set state of SSLv3 protocol support for the SSL Virtual Server.
Note: On platforms with SSL acceleration chips, if the SSL chip does not support SSLv3, this parameter cannot be set to ENABLED.

Use this method to set this parameter is used to enable or disable the logging of additional information, such as the Session ID and SNI names, from SSL handshakes to the audit logs.

Use this method to set name of the SSL profile that contains SSL settings for the virtual server.

Use this method to set state of HTTPS redirects for the SSL virtual server.

For an SSL session, if the client browser receives a redirect message, the browser tries to connect to the new location. However, the secure SSL session breaks if the object has moved from a secure site (https://) to an unsecure site (http://). Typically, a warning message appears on the screen, prompting the user to continue or disconnect.
If SSL Redirect is ENABLED, the redirect message is automatically converted from http:// to https:// and the SSL session does not break.

Use this method to set state of SSLv2 Redirect. If SSLv2 redirect is enabled, you can configure an SSL virtual server or service to display meaningful error messages if the SSL handshake fails because of a protocol version mismatch between the virtual server or service and the client.

Use this method to set parameter indicating to check whether peer entity certificate during TLS1.2 handshake is signed with one of signature-hash combination supported by Citrix ADC.

Use this method to set state of TLSv1.0 protocol support for the SSL Virtual Server.

Use this method to set state of TLSv1.1 protocol support for the SSL Virtual Server.

Use this method to set state of TLSv1.2 protocol support for the SSL Virtual Server.

Use this method to set state of TLSv1.3 protocol support for the SSL Virtual Server.

Use this method to set number of tickets the SSL Virtual Server will issue anytime TLS 1.3 is negotiated, ticket-based resumption is enabled, and either (1) a handshake completes or (2) post-handhsake client auth completes.
This value can be increased to enable clients to open multiple parallel connections using a fresh ticket for each connection.
No tickets are sent if resumption is disabled.

Use this method to set state of TLS 1.3 0-RTT early data support for the SSL Virtual Server. This setting only has an effect if resumption is enabled, as early data cannot be sent along with an initial handshake.
Early application data has significantly different security properties - in particular there is no guarantee that the data cannot be replayed.

Use this method to set maximum time, in milliseconds, to wait to accumulate OCSP requests to batch. Does not apply if the Batching Depth is 1.

Use this method to set number of certificates to batch together into one OCSP request. Batching avoids overloading the OCSP responder. A value of 1 signifies that each request is queried independently. For a value greater than 1, specify a timeout (batching delay) to avoid inordinately delaying the processing of a single certificate.

Use this method to set timeout(in minutes) for caching the OCSP response.

Use this method to set hTTP method used to send ocsp request. POST is the default httpmethod. If request length is > 255, POST wil be used even if GET is set as httpMethod

Use this method to set time, in seconds, for which the Citrix ADC waits before considering the response as invalid. The response is considered invalid if the Produced At time stamp in the OCSP response exceeds or precedes the current Citrix ADC clock time by the amount of time specified.

Use this method to set time, in milliseconds, to wait for an OCSP response. When this time elapses, an error message appears or the transaction is forwarded, depending on the settings on the virtual server. Includes Batching Delay time.

Use this method to set if trustResponder is set to YES, signature verification will be skipped for the OCSP response

Use this method to set time, in milliseconds, to wait for an OCSP URL Resolution. When this time elapses, an error message appears or the transaction is forwarded, depending on the settings on the virtual server.

Use this method to set enable the OCSP nonce extension, which is designed to prevent replay attacks.

Use this method to unbind certkey from ssl caCertGroup.

Use this method to unbind ca from ssl certKey.

Use this method to unbind ocspresponder from ssl certKey.

Use this method to unbind servicegroup from ssl certKey.

Use this method to unbind service from ssl certKey.

Use this method to unbind vserver from ssl certKey.

Use this method to unbind cipher from ssl cipher.

Use this method to unbind policy from ssl global.

Use this method to unbind policy from ssl policylabel.

Use this method to unbind certkey from ssl profile.

Use this method to unbind cipher from ssl profile.

Use this method to unbind ecccurve from ssl profile.

Use this method to unbind echconfig from ssl profile.

Use this method to unbind sslicacertkey from ssl profile.

Use this method to unbind cacertbundle from ssl service.

Use this method to unbind certkey from ssl service.

Use this method to unbind cipher from ssl service.

Use this method to unbind ecccurve from ssl service.

Use this method to unbind policy from ssl service.

Use this method to unbind cacertbundle from ssl serviceGroup.

Use this method to unbind certkey from ssl serviceGroup.

Use this method to unbind cipher from ssl serviceGroup.

Use this method to unbind ecccurve from ssl serviceGroup.

Use this method to unbind cacertbundle from ssl vserver.

Use this method to unbind certkeybundle from ssl vserver.

Use this method to unbind certkey from ssl vserver.

Use this method to unbind cipher from ssl vserver.

Use this method to unbind ecccurve from ssl vserver.

Use this method to unbind policy from ssl vserver.

Use this method to unlinks the certificate-key pair from its Certificate-Authority (CA) certificate-key pair.

Remove ssl certKey deletecertkeyfilesonremoval setting.

Remove ssl certKey expirymonitor setting.

Remove ssl certKey notificationperiod setting.

Remove ssl cipher cipher setting.

Remove ssl cipher cipherpriority setting.

Remove ssl crl basedn setting.

Remove ssl crl binary setting.

Remove ssl crl binddn setting.

Remove ssl crl cacert setting.

Remove ssl crl day setting.

Remove ssl crl interval setting.

Remove ssl crl method setting.

Remove ssl crl password setting.

Remove ssl crl port setting.

Remove ssl crl refresh setting.

Remove ssl crl scope setting.

Remove ssl crl server setting.

Remove ssl crl time setting.

Remove ssl crl url setting.

Remove ssl dtlsProfile helloverifyrequest setting.

Remove ssl dtlsProfile initialretrytimeout setting.

Remove ssl dtlsProfile maxbadmacignorecount setting.

Remove ssl dtlsProfile maxholdqlen setting.

Remove ssl dtlsProfile maxpacketsize setting.

Remove ssl dtlsProfile maxrecordsize setting.

Remove ssl dtlsProfile maxretrytime setting.

Remove ssl dtlsProfile pmtudiscovery setting.

Remove ssl dtlsProfile terminatesession setting.

Remove ssl fips hsmlabel setting.

Remove ssl logprofile ssllogclauth setting.

Remove ssl logprofile ssllogclauthfailures setting.

Remove ssl logprofile sslloghs setting.

Remove ssl logprofile sslloghsfailures setting.

Remove ssl ocspResponder batchingdelay setting.

Remove ssl ocspResponder batchingdepth setting.

Remove ssl ocspResponder cache setting.

Remove ssl ocspResponder cachetimeout setting.

Remove ssl ocspResponder httpmethod setting.

Remove ssl ocspResponder insertclientcert setting.

Remove ssl ocspResponder ocspurlresolvetimeout setting.

Remove ssl ocspResponder producedattimeskew setting.

Remove ssl ocspResponder respondercert setting.

Remove ssl ocspResponder resptimeout setting.

Remove ssl ocspResponder signingcert setting.

Remove ssl ocspResponder trustresponder setting.

Remove ssl ocspResponder usenonce setting.

Remove ssl parameter crlmemorysizemb setting.

Remove ssl parameter cryptodevdisablelimit setting.

Remove ssl parameter defaultprofile setting.

Remove ssl parameter denysslreneg setting.

Remove ssl parameter dropreqwithnohostheader setting.

Remove ssl parameter encrypttriggerpktcount setting.

Remove ssl parameter heterogeneoussslhw setting.

Remove ssl parameter hybridfipsmode setting.

Remove ssl parameter insertcertspace setting.

Remove ssl parameter insertionencoding setting.

Remove ssl parameter ndcppcompliancecertcheck setting.

Remove ssl parameter ocspcachesize setting.

Remove ssl parameter operationqueuelimit setting.

Remove ssl parameter pushenctriggertimeout setting.

Remove ssl parameter pushflag setting.

Remove ssl parameter quantumsize setting.

Remove ssl parameter sendclosenotify setting.

Remove ssl parameter sigdigesttype setting.

Remove ssl parameter snihttphostmatch setting.

Remove ssl parameter softwarecryptothreshold setting.

Remove ssl parameter sslierrorcache setting.

Remove ssl parameter sslimaxerrorcachemem setting.

Remove ssl parameter ssltriggertimeout setting.

Remove ssl parameter strictcachecks setting.

Remove ssl parameter undefactioncontrol setting.

Remove ssl parameter undefactiondata setting.

Remove ssl policy comment setting.

Remove ssl policy undefaction setting.

Remove ssl profile allowextendedmastersecret setting.

Remove ssl profile allowlegacykdf setting.

Remove ssl profile allowunknownsni setting.

Remove ssl profile alpnprotocol setting.

Remove ssl profile cipher setting.

Remove ssl profile cipherpriority setting.

Remove ssl profile cipherredirect setting.

Remove ssl profile cipherurl setting.

Remove ssl profile cleartextport setting.

Remove ssl profile clientauth setting.

Remove ssl profile clientauthuseboundcachain setting.

Remove ssl profile clientcert setting.

Remove ssl profile common setting.

Remove ssl profile defaultsni setting.

Remove ssl profile denysslreneg setting.

Remove ssl profile dh setting.

Remove ssl profile dhcount setting.

Remove ssl profile dhekeyexchangewithpsk setting.

Remove ssl profile dhfile setting.

Remove ssl profile dhkeyexpsizelimit setting.

Remove ssl profile dropreqwithnohostheader setting.

Remove ssl profile dynamicclientcert setting.

Remove ssl profile encryptedclienthello setting.

Remove ssl profile encrypttriggerpktcount setting.

Remove ssl profile ersa setting.

Remove ssl profile ersacount setting.

Remove ssl profile hsts setting.

Remove ssl profile includesubdomains setting.

Remove ssl profile insertionencoding setting.

Remove ssl profile maxage setting.

Remove ssl profile maxrenegrate setting.

Remove ssl profile ocspstapling setting.

Remove ssl profile preload setting.

Remove ssl profile prevsessionkeylifetime setting.

Remove ssl profile pushenctrigger setting.

Remove ssl profile pushenctriggertimeout setting.

Remove ssl profile pushflag setting.

Remove ssl profile quantumsize setting.

Remove ssl profile redirectportrewrite setting.

Remove ssl profile sendclosenotify setting.

Remove ssl profile serverauth setting.

Remove ssl profile sessionkeylifetime setting.

Remove ssl profile sessionticket setting.

Remove ssl profile sessionticketkeydata setting.

Remove ssl profile sessionticketkeyrefresh setting.

Remove ssl profile sessionticketlifetime setting.

Remove ssl profile sessreuse setting.

Remove ssl profile sesstimeout setting.

Remove ssl profile skipclientcertpolicycheck setting.

Remove ssl profile snienable setting.

Remove ssl profile snihttphostmatch setting.

Remove ssl profile ssl3 setting.

Remove ssl profile sslclientlogs setting.

Remove ssl profile sslimaxsessperserver setting.

Remove ssl profile sslinterception setting.

Remove ssl profile ssliocspcheck setting.

Remove ssl profile sslireneg setting.

Remove ssl profile ssllogprofile setting.

Remove ssl profile sslredirect setting.

Remove ssl profile ssltriggertimeout setting.

Remove ssl profile strictcachecks setting.

Remove ssl profile strictsigdigestcheck setting.

Remove ssl profile tls1 setting.

Remove ssl profile tls11 setting.

Remove ssl profile tls12 setting.

Remove ssl profile tls13 setting.

Remove ssl profile tls13sessionticketsperauthcontext setting.

Remove ssl profile zerorttearlydata setting.

Remove ssl service cipherredirect setting.

Remove ssl service cipherurl setting.

Remove ssl service clientauth setting.

Remove ssl service clientcert setting.

Remove ssl service common setting.

Remove ssl service dh setting.

Remove ssl service dhcount setting.

Remove ssl service dhfile setting.

Remove ssl service dhkeyexpsizelimit setting.

Remove ssl service dtls1 setting.

Remove ssl service dtls12 setting.

Remove ssl service dtlsprofile setting.

Remove ssl service ersa setting.

Remove ssl service ersacount setting.

Remove ssl service ocspstapling setting.

Remove ssl service redirectportrewrite setting.

Remove ssl service sendclosenotify setting.

Remove ssl service serverauth setting.

Remove ssl service sessreuse setting.

Remove ssl service sesstimeout setting.

Remove ssl service snienable setting.

Remove ssl service ssl2 setting.

Remove ssl service ssl3 setting.

Remove ssl service sslclientlogs setting.

Remove ssl service sslprofile setting.

Remove ssl service sslredirect setting.

Remove ssl service sslv2redirect setting.

Remove ssl service sslv2url setting.

Remove ssl service strictsigdigestcheck setting.

Remove ssl service tls1 setting.

Remove ssl service tls11 setting.

Remove ssl service tls12 setting.

Remove ssl service tls13 setting.

Remove ssl serviceGroup common setting.

Remove ssl serviceGroup ocspstapling setting.

Remove ssl serviceGroup sendclosenotify setting.

Remove ssl serviceGroup serverauth setting.

Remove ssl serviceGroup sessreuse setting.

Remove ssl serviceGroup sesstimeout setting.

Remove ssl serviceGroup snienable setting.

Remove ssl serviceGroup ssl3 setting.

Remove ssl serviceGroup sslclientlogs setting.

Remove ssl serviceGroup sslprofile setting.

Remove ssl serviceGroup strictsigdigestcheck setting.

Remove ssl serviceGroup tls1 setting.

Remove ssl serviceGroup tls11 setting.

Remove ssl serviceGroup tls12 setting.

Remove ssl serviceGroup tls13 setting.

Remove ssl vserver cipherredirect setting.

Remove ssl vserver cipherurl setting.

Remove ssl vserver cleartextport setting.

Remove ssl vserver clientauth setting.

Remove ssl vserver clientcert setting.

Remove ssl vserver defaultsni setting.

Remove ssl vserver dh setting.

Remove ssl vserver dhcount setting.

Remove ssl vserver dhekeyexchangewithpsk setting.

Remove ssl vserver dhfile setting.

Remove ssl vserver dhkeyexpsizelimit setting.

Remove ssl vserver dtls1 setting.

Remove ssl vserver dtls12 setting.

Remove ssl vserver dtlsprofile setting.

Remove ssl vserver ersa setting.

Remove ssl vserver ersacount setting.

Remove ssl vserver hsts setting.

Remove ssl vserver includesubdomains setting.

Remove ssl vserver maxage setting.

Remove ssl vserver ocspstapling setting.

Remove ssl vserver preload setting.

Remove ssl vserver redirectportrewrite setting.

Remove ssl vserver sendclosenotify setting.