set pki ocsp

Use this command to globally enable or disable OCSP certificate revocation checking.


set pki ocsp {enable | disable}


enable Enables OCSP certificate revocation checking.
disable Disables OCSP certificate revocation checking.


OCSP certificate revocation checking is enabled by default.


All command modes with admin privilege.


This command is used to globally enable or disable OCSP certificate revocation checking. A Certificate Authority (CA) may need to revoke an issued certificate‘s authorization prior to the issued certificate‘s expiration date. Some reasons for revocation include

  • The user was compromised (keyCompromise)
  • A CA in the chain was compromised (cACompromise)
  • A newer certificate was issued (superseded)

When OCSP is disabled, checking is not performed and the revocation status of all certificates is assumed to be good (not revoked).

When OCSP is enabled, the device will attempt to obtain revocation status from one of the available OCSP Responders (OCSRs). If an OCSR replies with a revocation status of good, certificate chain verification will resume. If an OCSR replies with a request failure or with a certificate revocation status other than good (REVOKED or UNKNOWN), certificate authentication will fail.


This example shows how to disable OCSP certificate revocation checking on the device:

System(su)->set pki ocsp disable