protocol keystone server auto-sign

ca {csr \| generate \| id <id> \| import id <id> cert-pem <cert-pem> key-pem <key-pem>}	Configures the Keystone server auto-sign certificate authority (CA) settings. The following options are available: • csr—Configures the Keystone server auto-sign CA to use a certificate signing request. • generate—Generates a new auto-sign CA certificate. • id—Specifies the user-assigned id for an existing auto-sign CA certificate. • import id—Imports a new auto-sign CA certificate. To paste large text blocks like PEM, open a double-quote (“), paste the PEM then close the double-quote. – cert-pem—Pastes the certificate data in PEM format (including chain). – key-pem—Pastes the private key data in PEM format. If the private key is encrypted, use the <password> parameter after key-pem to specify the decryption password.
enable	Enables Keystone server auto-signing.
signed-cert {key-size <key-size>\| limit \| valid-days <valid-days>}	Configures the Keystone server auto-sign certificate settings. The following options are available: • key-size—Private key size for signed certificates. By default, the key size is a 2048-bit RSA key. • limit—Maximum number of auto-signed certificates allowed (0=unlimited). The default value is 1500. • valid-days—Number of days the signed certificate is valid. By default, the certificate is valid for 365 days.

To use the auto-signing commands, the signing certificate authority (CA) certificate must be explicitly added to the client trust store. Once the SteelHead is configured with a signing CA certificate that is trusted by the client, if the SteelHead does not have a matching server proxy certificate for a given website, a certificate is generated on-demand. Generated certificates are made available for subsequent connections and are retained when the SteelHead is rebooted. Only the certificates that are needed are created. The private key for the generated certificate never leaves the SteelHead that generated the certificate. The SteelHead performing the certificate generation can be a server-side SteelHead (Default mode), a client-side SteelHead (Local mode), or another SteelHead (Remote mode). The mode is configured using the protocol keystone transport server commands. The auto-sign feature can be disabled without affecting the existing auto-generated certificates. The generated certificates go into and can be managed in the CLI and in the SteelHead Management Console Optimization > Server Certificates page. For more information on deployment and managing certificates see, the SteelHead User Guide.

amnesiac (config) # protocol keystone server auto-sign ca import id MyImportedCA cert-pem "-----BEGIN CERTIFICATE-----MIIDBTCCAe2gAwIBAgIUTr+rg4k/S81bMFL62sUXiUDEy48wDQYJKoZIhvcNAQELECmjUeAWBgN7-This is an example, it is not the entire certificate-----END CERTIFICATE-----" key-pem "-----BEGIN PRIVATE KEY----- KDunaQxZa2S9QUvvRphtios=-This is an example, it is not the entire certificate-----END PRIVATE KEY-----"