Online Certificate Status Protocol Configuration
OCSP configuration consists of
- Configuring one or more certificate status profiles; each profile contains information needed to contact a specific OCSP responder.
-
Enabling certificate revocation checking by assigning a certificate status profile to a previously configured TLS profile.
To create a certificate status profile:
-
From superuser mode, use the following command sequence to access cert-status-profile configuration mode. While in this mode, you provide the information required to access one or more OCSP responders.
ORACLE# configure terminal ORACLE(configure)# security ORACLE(security)# cert-status-profile ORACLE(cert-status-profile)#
- Use the required name parameter to identify this cert-status-profile instance — each profile instance provides configuration data for a specific OCSP responder. name is used to distinguish between multiple profile instances.
- Use the required ip-address parameter to specify the IPv4 address of the OCSP responder.
-
Use the optional
port parameter to specify the destination port.
In the absence of an explicitly configured value, the default port number of 80 is used.
-
Use the optional
realm-id
parameter to specify the realm used to transmit OCSP requests.
In the absence of an explicitly configured value, the default specifies service across the wancom0 interface.
-
Use the optional
requester-cert parameter only if OCSP requests are signed; ignore this parameter if requests are not signed.
RFC 2560 does not require signed requests; however, local or CA policies can mandate digital signature..
-
Use the required
responder-cert parameter to identify the certificate used to validate OCSP responses — a public key of the OCSP responder.
RFC 2560 requires that all OCSP responders digitally sign OCSP responses, and that OCSP clients validate incoming signatures.
Provide the name of the certificate configuration element that contains the certificate used to validate the signed OCSP response.
-
Use the optional
retry-count parameter to specify the maximum number of times to retry an OCSP responder in the event of connection failure.
If the retry counter specified by this parameter is exceeded, the OCSP requester either contacts another responder (if multiple responders have been configured within this cert-status-profile) and quarantine the unavailable responder for a period defined the dead-time parameter.
In the absence of an explicitly configured value (an integer within the range 0 through 10), the default of 1 is used.
ORACLE(cert-status-profile)# retry-count 2 ORACLE(cert-status-profile)#
-
Use the optional
dead-time parameter to specify the quarantine period imposed on an unavailable OCSP responder.
In the absence of an explicitly configured value (an integer within the range 0 through 3600 seconds), the default value (0) is used.
Customer implementations utilizing a single OCSP responder are encouraged to retain the default value, or to specify a brief quarantine period to prevent lengthy service outages.
- Retain default values for the type and trans-protocol parameter to specify OCSP over an HTTP transport protocol.
- Use done, exit, and verify-config to complete configuration of this cert-status-profile instance.
-
Repeat Steps 1 through 11 to configure additional certificate status profiles.
To enable certificate status checking:
-
Move to tls-profile configuration mode.
ORACLE# configure terminal ORACLE(configure)# security ORACLE(security)# tls-profile ORACLE(tls-profile)#
- Use the required cert-status-check parameter to enable OCSP in conjunction with an existing TLS profile.
-
Use the required
cert-status-profile-list parameter to assign one or more cert-status-profiles to the current TLS profile.
Each assigned cert-status-profile provides the information needed to access a single OCSP responder.
Use quotation marks to assign multiple OCSP responders. The following sequence assigns three cert-status-profiles, VerisignClass3Designate, Verisign-1, and Thawte-1 to the TLS-1 profile.
-
Use
done,
exit, and
verify-config to complete configuration.
Sample Configuration:
ORACLE# configure terminal ORACLE(configure)# security ORACLE(security)# cert-status-profile ORACLE(cert-status-profile)# name VerisignClass3Designate ORACLE(cert-status-profile)# ip-address 192.168.7.100 ORACLE(cert-status-profile)# responder-cert VerisignClass3ValidateOCSP ORACLE(cert-status-profile)# done ORACLE(cert-status-profile)# exit ... ... ORACLE# configure terminal ORACLE(configure)# security ORACLE(security)# tls-profile ORACLE(tls-profile)# select <name>: 1. TLS-1 2. TLS-2 3. TLS-3 selection: 1 ORACLE(tls-profile)# cert-status-check enabled ORACLE(cert-status-profile)# cert-status-profile-list VerisignClass3Designate Verisign-1 Thawte-1 ORACLE(cert-status-profile)# done ORACLE(cert-status-profile)# exit