OCSP can be vulnerable to replay attacks, where a signed good response is captured by a malicious intermediary and replayed to the client at a later date after the subject certificate may have been revoked. OCSP overcomes this by including a nonce extension in the request that must be included in the corresponding response. If the corresponding OSCP response does not contain a matching nonce, the certificate verification will fail.
When OCSP nonce is enabled, the nonce extension is added to the outgoing OCSP request. If the corresponding OSCP response does not contain a matching nonce, then certificate verification will fail.
Use the set pki ocsp nonce command to enable or disable the inclusion of a nonce extension in the outgoing OCSP request that must be included in the corresponding response.