Online Certificate Status Protocol Enhancement

An Online Certificate Status Protocol (OCSP) is performed in order to verify the peer certificate's revocation status (Good/Revoked/Unknown). OCSP is currently used in the following applications:

SSH-x509v3 based authentication (the peer is an SSH client)
RADIUS-TLS (the peer is a RADIUS-TLS server)
Secure-Syslog (the peer is a Syslog server)

Version 32.2 introduces the following enhancement OCSP attributes:

The OCSP server URL is now configurable and overrides the servers in the AuthorityInformationAccess (AIA) section of the RADIUS TLS server's certificate.
Different applications can choose to have a different override server.
One override server per application is acceptable.

Supported Platforms

This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.

New CLI Commands

configure radius tls ocsp nonce [on | off]

configure radius tls ocsp override [url | none]

configure radius tls ocsp signer ocsp-nocheck [on | off]

configure ssh2 x509v3 ocsp [on | off]

configure ssh2 x509v3 ocsp nonce [on | off]

configure ssh2 x509v3 ocsp override [url | none]

configure ssh2 x509v3 ocsp signer ocsp-nocheck [on | off]

configure syslog tls ocsp nonce [on | off]

configure syslog tls ocsp override [url | none]

configure syslog tls ocsp signer ocsp-nocheck [on | off]