Online Certificate Status Protocol Enhancement
An Online Certificate Status Protocol (OCSP) is performed in order to verify the peer certificate's revocation status (Good/Revoked/Unknown). OCSP is currently used in the following applications:
- SSH-x509v3 based authentication (the peer is an SSH client)
- RADIUS-TLS (the peer is a RADIUS-TLS server)
- Secure-Syslog (the peer is a Syslog server)
Version 32.2 introduces the following enhancement OCSP attributes:
- The OCSP server URL is now configurable and overrides the servers in the AuthorityInformationAccess (AIA) section of the RADIUS TLS server's certificate.
- Different applications can choose to have a different override server.
- One override server per application is acceptable.
Supported Platforms
This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.
New CLI Commands
configure radius tls ocsp nonce [on | off]
configure radius tls ocsp override [url | none]
configure radius tls ocsp signer ocsp-nocheck [on | off]
configure ssh2 x509v3 ocsp [on | off]
configure ssh2 x509v3 ocsp nonce [on | off]
configure ssh2 x509v3 ocsp override [url | none]
configure ssh2 x509v3 ocsp signer ocsp-nocheck [on | off]
configure syslog tls ocsp nonce [on | off]
configure syslog tls ocsp override [url | none]
configure syslog tls ocsp signer ocsp-nocheck [on | off]