PKI Limitations
- All certificates should be in PEM format files.
- Downloading CA certificate chain is not supported.
- Individual CA certificates in a certificate chain should be downloaded
one-by-one using the following command: download ssl ipaddress
certificate {ssl-cert | trusted-ca | ocsp-signature-ca} cert_file
- Downloading CA certificate of size greater than 7.5KB is not recommended.
- Certification Revocation Lists (CRLs)—not supported.
- OCSP stapling—not supported.
- Nonce is always disabled in OCSP request.
- OCSP is not done for the OCSP responder certificate. Therefore, the OCSP
responder certificate should satisfy any of following criteria, failing which the OCSP response
is rejected:
- OCSP responder certificate should be self-signed, OR
- OCSP responder certificate should contain id-pkix-ocsp-nocheck extension.
Print
this page
Email this topic
Feedback
View PDF
Download EPUB