Administrator Guide
Conguring OCSP setting on CA
You can congure the CA to contact multiple OCSP servers.
To congure OCSP server for a CA, perform the following step:
In the certicate mode, enter the following command:
ocsp-server URL [nonce] [sign-requests]
NOTE: If you have an IPv6 address in the URL, then enclose this address in square brackets. For example, http://
[1100::203]:6514.
Conguring OCSP behavior
You can congure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders.
To congure this behavior, perform the following steps:
In the global conguration mode, enter the following command:
crypto x509 ocsp {[nonce] [sign-request]}
Conguring revocation behavior
You can congure the system behavior if an OCSP responder fails.
By default, when all the OCSP responders fail to send a response to an OSCP request, the system accepts the certicate and logs the
event. However, you can congure the system to reject the certicate in case OCSP responders fail.
To congure OCSP revocation settings:
In the global conguration mode, enter the following command:
crypto x509 revocation ocsp [accept | reject]
Conguring OSCP responder preference
You can congure the preference or order that the CA or a device should follow while contacting multiple OCSP responders.
To congure this setting, perform the following step:
In certicate mode, enter the following command:
CERTIFICATE Mode
ocsp-server prefer
Verifying certicates
A CA certicate’s public key is used to decrypt a presented certicate’s signature to obtain a hash value.
The rest of the presented certicate is also hashed and if the two hashes match then the certicate is considered valid.
During verication, the system checks the presented certicates for revocation information. The system also enables you to congure
behavior in case a certicate’s revocation status cannot be veried; for example, when the OCSP responder is unreachable you can alter
system behavior to accept or reject the certicate depending on conguration. The default behavior is to accept the certicates. The
system also logs the events where the OSCP responders fail or invalid OSCP responses are received.
1126
X.509v3