set pki ocsp

Use this command to globally enable or disable OCSP certificate revocation checking.

Syntax

set pki ocsp {enable | disable}

Parameters

enable	Enables OCSP certificate revocation checking.
disable	Disables OCSP certificate revocation checking.

Defaults

OCSP certificate revocation checking is enabled by default.

Mode

All command modes with admin privilege.

Usage

This command is used to globally enable or disable OCSP certificate revocation checking. A Certificate Authority (CA) may need to revoke an issued certificate‘s authorization prior to the issued certificate‘s expiration date. Some reasons for revocation include

The user was compromised (keyCompromise)
A CA in the chain was compromised (cACompromise)
A newer certificate was issued (superseded)

When OCSP is disabled, checking is not performed and the revocation status of all certificates is assumed to be good (not revoked).

When OCSP is enabled, the device will attempt to obtain revocation status from one of the available OCSP Responders (OCSRs). If an OCSR replies with a revocation status of good, certificate chain verification will resume. If an OCSR replies with a request failure or with a certificate revocation status other than good (REVOKED or UNKNOWN), certificate authentication will fail.

Examples

This example shows how to disable OCSP certificate revocation checking on the device:

System(su)->set pki ocsp disable
System(rw)->

Published May 2016prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback