Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-3200

361

362

363

364

365

366

367

368

369

370

9. In the Revocation Checkpoint pane, click Edit next to the revocation checkpoint that you want to

configure. The Revocation Checkpoint pane displays.

10.In the Revocation Check field, select crl from the Method 1 drop-down list.

11.In the CRL Location field, enter the CRL you want to use for this revocation checkpoint. The CRLs listed are

files that have already been imported onto the controller.

12.Click Apply.

In the CLI

This example configures an OCSP responder with the check method as CRL for revocation check point ROOTCa-

ssh-webui. The CRL location is crl1 and the revocation check method is crl.

(host) (config) #crypto-local pki rcp ROOTCa-ssh-webui

(host) (RCP-CARoot) #crl-location file crl1

(host) (RCP-CARoot) #revocation-check crl

Configuring the Controller as an OCSP Responder

When configured as an OCSP responder, the controller provides revocation status information to ArubaOS

applications that use CRLs.

In the WebUI

1. Navigate to the Configuration > Management > Certificates > Upload page.

2. Enter a name in the Certificate Name field. This name identifies the OCSP signer certificate you are

uploading.

3. Enter the certificate file name in the Certificate Filename field. Use Browse to enter the full pathname.

4. Select the certificate format from the Certificate Format drop-down menu.

5. Select OCSP signer cert from the Certificate Type drop-down menu. Once this certificate is uploaded, it

is maintained in the certificate store for OCSP signer certificates. These certificates are used for signature

verification.

The OCSP signer cert signs OCSP responses for this revocation check point. The OCSP signer cert can be the

same trusted CA as the check point, a designated OCSP signer certificate issued by the same CA as the check

point or some other local trusted authority.

If you do not specify an OCSP signer cert, OCSP responses are signed using the global OCSP signer

certificate. If that is not present, than an error message is sent out to clients.

The OCSP signer certificate takes precedence over the global OCSP signer certificate as it is check point specific.

6. Click Upload. The certificate appears in the Certificate Lists pane. Select OCSP signer cert from the Group

drop-down list if you want to display only those certificates which are OCSP signer certificates.

7. For detailed information about an uploaded certificate, click View next to the certificate.

8. Select the Revocation Checkpoint tab.

9. Select Enable next to Enable OCSP Responder.

Enable OCSP Responder is a global knob that turns the OCSP responder service on or off on the controller.

The default is disabled (off). Enabling this option automatically adds the OCSP responder port (TCP 8084) to

the permit list in the CP firewall so this can be accessed from outside the controller.

10.Select the OCSP signer cert from the OCSP Certificates drop-down menu to be used to sign OCSP

responses for this revocation check point.

Dell Networking W-Series ArubaOS 6.4.x | User Guide Certificate Revocation | 369