OCSP maintains the security of the server and other network resources. OCSP send a request for certificate status information to the server and recieves back a response of current, expired or unknown. The protocol specifies the communication between server and the client applicatio n. OCSP allows expired certificates with a grace period to access servers for a limited time before renewing.
During TLS handshake, when TLS client recieves the server certificate with OCSP information, the TLS or OCSP client can request for the OCSP responder for the validity of the certificate.The certificate status can be valid or revoked.
This feature supports x509v3 certificate validity using the OCSP protocol in accordance with RFC 6960. The OCSP request contains:
When OCSP is enabled for TLS, it is important to ensure that the OCSP Responder supports SHA256 hash algorithm and HTTP POST method.
When TLS is used with OCSP during chain certificate validation or when stunnel is used as proxy TLS server a non-secure application, it is recommended to maximize the connection timeout of the server. RADIUS timeout can be set to a maximum value of 12 seconds using the following command.
device# aaa accounting exec default start-stop radius device# aaa authentication login default radius local-auth-fallback radius-server host <Radius Server Ip> ssl-auth-port <Port number to communicate to the radius server> default key < Radius Secret Key> radius-server timeout < in seconds>
TACACS+ timeout can be set to a maximum value of 15 seconds using the following command:
tacacs-server timeout < in seconds>
To import the certificate from the server, use the following command:
scp ca.cert.pem <switch username>@<Switch Management IP>:ssltrustedcert