Administrator Guide

Conguring OCSP behavior

You can congure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders.

To congure this behavior, follow this step:

In CONFIGURATION mode, enter the following command:

crypto x509 ocsp {[nonce] [sign-request]}

Both the none and sign-request parameters are optional. The default behavior is to not use these two options. If your OCSP

responder uses pre-computed responses, you cannot use the none feature in the switch's communcations with the responder. If your

OCSP responder requires signed requests, you can use the sign-requests option.

Conguring Revocation Behavior

The default behavior is to accept certicates if either an OCSP responder is unavailable or if no responder is identied.

Conguring OSCP responder preference

You can congure the preference or order that the CA or a device follows while contacting multiple OCSP responders.

Enter the following command in Certicate mode:

ocsp-server prefer

A CA certicate’s public key is used to decrypt a presented certicate’s signature to obtain a hash value.

The rest of the presented certicate is also hashed and if the two hashes match then the certicate is considered valid.

During verication, the system checks the presented certicates for revocation information. The system also enables you to congure

behavior in case a certicate’s revocation status cannot be veried; for example, when the OCSP responder is unreachable you can alter