Use this command to enable or disable the inclusion of a nonce extension in the outgoing OCSP request that must be included in the corresponding response.
| enable | The nonce extension is included in the outgoing OCSP request and looked for in the corresponding OCSP response. |
| disable | The nonce extension is not included in the outgoing OCSP request. |
The inclusion of the nonce extension in the OCSP request is enabled by default.
All command modes with admin privilege.
This command enables or disables the inclusion of the nonce extension in outgoing OCSP requests. OCSP can be vulnerable to replay attacks, where a signed good response is captured by a malicious intermediary and replayed to the client at a later date after the subject certificate may have been revoked. OCSP overcomes this by including a nonce extension in the request that must be included in the corresponding response. If the corresponding OSCP response does not contain a matching nonce, the certificate verification will fail.
This example shows how to disable the inclusion of the nounce extension in the outgoing OCSP request:
System(su)->set pki ocsp nonce disable System(su)->
Print
this page
Email this topic
Feedback
View PDF
Download EPUB