Online Certificate Status Protocol Configuration

OCSP configuration consists of

  1. Configuring one or more certificate status profiles; each profile contains information needed to contact a specific OCSP responder.
  2. Enabling certificate revocation checking by assigning a certificate status profile to a previously configured TLS profile.

    To create a certificate status profile:

  3. From superuser mode, use the following command sequence to access cert-status-profile configuration mode. While in this mode, you provide the information required to access one or more OCSP responders. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# cert-status-profile
ORACLE(cert-status-profile)#
  4. Use the required name parameter to identify this cert-status-profile instance — each profile instance provides configuration data for a specific OCSP responder. name is used to distinguish between multiple profile instances.
  5. Use the required ip-address parameter to specify the IPv4 address of the OCSP responder.
  6. Use the optional port parameter to specify the destination port.

    In the absence of an explicitly configured value, the default port number of 80 is used.

  7. Use the optional realm-id parameter to specify the realm used to transmit OCSP requests.

    In the absence of an explicitly configured value, the default specifies service across the wancom0 interface.

  8. Use the optional requester-cert parameter only if OCSP requests are signed; ignore this parameter if requests are not signed.

    RFC 2560 does not require signed requests; however, local or CA policies can mandate digital signature..

  9. Use the required responder-cert parameter to identify the certificate used to validate OCSP responses — a public key of the OCSP responder.

    RFC 2560 requires that all OCSP responders digitally sign OCSP responses, and that OCSP clients validate incoming signatures.

    Provide the name of the certificate configuration element that contains the certificate used to validate the signed OCSP response.

  10. Use the optional retry-count parameter to specify the maximum number of times to retry an OCSP responder in the event of connection failure.

    If the retry counter specified by this parameter is exceeded, the OCSP requester either contacts another responder (if multiple responders have been configured within this cert-status-profile) and quarantine the unavailable responder for a period defined the dead-time parameter.

    In the absence of an explicitly configured value (an integer within the range 0 through 10), the default of 1 is used. 

    ORACLE(cert-status-profile)# retry-count 2
ORACLE(cert-status-profile)#
  11. Use the optional dead-time parameter to specify the quarantine period imposed on an unavailable OCSP responder.

    In the absence of an explicitly configured value (an integer within the range 0 through 3600 seconds), the default value (0) is used.

    Customer implementations utilizing a single OCSP responder are encouraged to retain the default value, or to specify a brief quarantine period to prevent lengthy service outages.

  12. Retain default values for the type and trans-protocol parameter to specify OCSP over an HTTP transport protocol.
  13. Use done, exit, and verify-config to complete configuration of this cert-status-profile instance.
  14. Repeat Steps 1 through 11 to configure additional certificate status profiles.

    To enable certificate status checking:

  15. Move to tls-profile configuration mode. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# tls-profile
ORACLE(tls-profile)#
  16. Use the required cert-status-check parameter to enable OCSP in conjunction with an existing TLS profile.
  17. Use the required cert-status-profile-list parameter to assign one or more cert-status-profiles to the current TLS profile.

    Each assigned cert-status-profile provides the information needed to access a single OCSP responder.

    Use quotation marks to assign multiple OCSP responders. The following sequence assigns three cert-status-profiles, VerisignClass3Designate, Verisign-1, and Thawte-1 to the TLS-1 profile.

  18. Use done, exit, and verify-config to complete configuration.

    Sample Configuration: 

    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# cert-status-profile
ORACLE(cert-status-profile)# name VerisignClass3Designate
ORACLE(cert-status-profile)# ip-address 192.168.7.100
ORACLE(cert-status-profile)# responder-cert VerisignClass3ValidateOCSP
ORACLE(cert-status-profile)# done
ORACLE(cert-status-profile)# exit
...
...
ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# tls-profile
ORACLE(tls-profile)# select
<name>:
1. TLS-1
2. TLS-2
3. TLS-3
selection: 1
ORACLE(tls-profile)# cert-status-check enabled
ORACLE(cert-status-profile)# cert-status-profile-list VerisignClass3Designate Verisign-1 Thawte-1
ORACLE(cert-status-profile)# done
ORACLE(cert-status-profile)# exit
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents