set pki ocsp responder

Use this command to configure an alternate OCSP responder (OCSR) URL for the OCSR used to check revocation status.

Syntax

set pki ocsp responder url [preferred]

Parameters

url Specifies the URL of the alternate OCSR that will be used to check OCSP certificate revocation status.
preferred Specifies that this alternate OCSR is preferred over other configured OCSRs for the checking of OCSP certificate revocation status.

Defaults

If preferred is not specified, the OCSR will not be preferred over other configured OCSRs.

Mode

All command modes with admin privilege.

Usage

X.509 certificates may contain an optional AIA extension which contains one or more addresses of OCSP Responders (OCSRs) to be used to check revocation status. In addition to these certificate OCSRs, one alternate OCSR URL may be configured. If this alternate responder is designated as preferred, then it will be tried before the certificate‘s AIA responders. If not preferred, then the alternate responder will be tried after the AIA responders.

Examples

This example shows how to configure the alternate OCSP Responder‘s URL to IP address 10.21.1.115, port 8888, and path /mypath. This configured URI will be tried first. If no response is received then a second OCSP request will be sent to the OCSP Responders defined in the certificate‘s AIA extension (if present):

System(su)->set pki ocsp responder http://10.21.1.115:8888/mypath preferred
System(su)->