protocol ssl server-certs non-exportable enable
Disables the exporting of server certificates and private keys.
Syntax
protocol ssl server-certs non-exportable enable
Parameters
None
Usage
The protocol ssl bulk-export password command allows you to export your SSL certificates and private keys. This bulk export feature is useful to back up SSL configurations or move them to another SteelHead; however, security-conscious organizations might want to make SSL configurations non-exportable.
To ensure a secure SSL deployment, you can prevent your SSL configurations from leaving the SteelHead appliance by disabling the export of SSL certificates and private keys using the protocol ssl server-certs non-exportable enable command.
Consider making SSL certificates nonexportable with your particular security goals in mind. Before doing so, you must have a thorough understanding of its impact. Use caution and consider the following before making SSL configurations nonexportable:
• After disabling export on a new SteelHead appliance, you cannot reenable it unless you perform a factory reset on the SteelHead appliance (losing the configuration) or clear the secure vault.
• After upgrading a SteelHead appliance and disabling export, you cannot export any preexisting or newly added server certificates and private keys to another SteelHead appliance.
• After disabling export, any newly added server certificates and keys are marked as nonexportable.
• After disabling export and then downgrading a SteelHead appliance to a previous RiOS version, you cannot export any of the existing server certificates and private keys. You can export any newly added server certificates and private keys.
• Disabling export prevents the copy of the secure vault content.
Example
amnesiac (config) # protocol ssl server-certs non-exportable enable
Product
SteelHead CX, SteelHead-v, SteelHead-c
Related Commands