Online Certificate Status Protocol Enhancement

An Online Certificate Status Protocol (OCSP) is performed in order to verify the peer certificate's revocation status (Good/Revoked/Unknown). OCSP is currently used in the following applications:

SSH-x509v3 based authentication (the peer is an SSH client)
RADIUS-TLS (the peer is a RADIUS-TLS server)
Secure-Syslog (the peer is a Syslog server)

Version 32.2 introduces the following enhancement OCSP attributes:

The OCSP server URL is now configurable and overrides the servers in the AuthorityInformationAccess (AIA) section of the RADIUS TLS server's certificate.
Different applications can choose to have a different override server.
One override server per application is acceptable.

Supported Platforms

This command is available on ExtremeSwitching 5320, 5420, 5520, and 5720 series switches.

New CLI Commands

configure radius tls ocsp nonce [on | off]

configure radius tls ocsp override [url | none]

configure radius tls ocsp signer ocsp-nocheck [on | off]

configure ssh2 x509v3 ocsp [on | off]

configure ssh2 x509v3 ocsp nonce [on | off]

configure ssh2 x509v3 ocsp override [url | none]

configure ssh2 x509v3 ocsp signer ocsp-nocheck [on | off]

configure syslog tls ocsp nonce [on | off]

configure syslog tls ocsp override [url | none]

configure syslog tls ocsp signer ocsp-nocheck [on | off]