Manualshelf

Setup Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch
1177117811791180118111821183118411851186
Conguring OCSP setting on CA
You can congure the CA to contact multiple OCSP servers.
To congure OCSP server for a CA, perform the following step:
In the certicate mode, enter the following command:
ocsp-server URL [nonce] [sign-requests]
NOTE: If you have an IPv6 address in the URL, then enclose this address in square brackets. For example, http://
[1100::203]:6514.
Conguring OCSP behavior
You can congure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders.
To congure this behavior, perform the following steps:
In the global conguration mode, enter the following command:
crypto x509 ocsp {[nonce] [sign-request]}
Conguring revocation behavior
You can congure the system behavior if an OCSP responder fails.
By default, when all the OCSP responders fail to send a response to an OSCP request, the system accepts the certicate and logs the
event. However, you can congure the system to reject the certicate in case OCSP responders fail.
To congure OCSP revocation settings:
In the global conguration mode, enter the following command:
crypto x509 revocation ocsp [accept | reject]
Conguring OSCP responder preference
You can congure the preference or order that the CA or a device should follow while contacting multiple OCSP responders.
To congure this setting, perform the following step:
In certicate mode, enter the following command:
CERTIFICATE Mode
ocsp-server prefer
Verifying certicates
A CA certicate’s public key is used to decrypt a presented certicate’s signature to obtain a hash value.
The rest of the presented certicate is also hashed and if the two hashes match then the certicate is considered valid.
During verication, the system checks the presented certicates for revocation information. The system also enables you to congure
behavior in case a certicate’s revocation status cannot be veried; for example, when the OCSP responder is unreachable you can alter
system behavior to accept or reject the certicate depending on conguration. The default behavior is to accept the certicates. The
system also logs the events where the OSCP responders fail or invalid OSCP responses are received.
X.509v3
1185