Manualshelf

Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4048-ON
1137113811391140114111421143114411451146
Configuring OCSP setting on CA
You can configure the CA to contact multiple OCSP servers.
To configure OCSP server for a CA, perform the following step:
In the certificate mode, enter the following command:
ocsp-server URL [nonce] [sign-requests]
NOTE: If you have an IPv6 address in the URL, then enclose this address in square brackets. For example, http://
[1100::203]:6514.
Configuring OCSP behavior
You can configure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders.
To configure this behavior, perform the following steps:
In the global configuration mode, enter the following command:
crypto x509 ocsp {[nonce] [sign-request]}
Configuring revocation behavior
You can configure the system behavior if an OCSP responder fails.
By default, when all the OCSP responders fail to send a response to an OSCP request, the system accepts the certificate and logs the
event. However, you can configure the system to reject the certificate in case OCSP responders fail.
To configure OCSP revocation settings:
In the global configuration mode, enter the following command:
crypto x509 revocation ocsp [accept | reject]
Configuring OSCP responder preference
You can configure the preference or order that the CA or a device should follow while contacting multiple OCSP responders.
To configure this setting, perform the following step:
In certificate mode, enter the following command:
CERTIFICATE Mode
ocsp-server prefer
Verifying certificates
A CA certificate’s public key is used to decrypt a presented certificate’s signature to obtain a hash value.
The rest of the presented certificate is also hashed and if the two hashes match then the certificate is considered valid.
During verification, the system checks the presented certificates for revocation information. The system also enables you to configure
behavior in case a certificate’s revocation status cannot be verified; for example, when the OCSP responder is unreachable you can alter
system behavior to accept or reject the certificate depending on configuration. The default behavior is to accept the certificates. The
system also logs the events where the OSCP responders fail or invalid OSCP responses are received.
X.509v3
1145