- Administrative Security Guide
- Configuring IKEv2 Interfaces
- Online Certificate Status Protocol
- OCSP-Based Certificate Verification
- Configure OCSP Certificate Verification
Configure OCSP Certificate Verification
- Access the
cert-status-profile
configuration element.
ORACLE# configure terminal ORACLE(configure)# security ORACLE(security)# cert-status-profile ORACLE(cert-status-profile)#
- name—Provide a unique name for this profile.
- type—Select the
certificate revocation check method.
Available values are:
- OCSP
- CRL
- Specify either the
IP address or the hostname of the CRL source.
- ip-address—Specify the IP address of the CRL source.
- host-name—Specify the hostname of the CRL source
Note:
If values are provided for both attributes, the OCSBC uses the IP address and ignores the host-name value. -
realm-id—Specify the
realm used to transmit OCSP requests and receive OCSP responses.
In the absence of an explicitly configured value, the OCSBC provides a default value of wancom0, specifying OCSP protocol transmissions across the wancom0 management interface.
- requester-cert—Specify
the certificate used to sign requests.
Ignore this attribute if requests are not signed. If a signed request is required by the OCSP responder, provide the name of the certificate configuration element that contains the certificate used to sign OCSP requests.
- responder-cert—Identifies
the certificate used to validate signed OCSP response (a public key of the OCSP
responder).
Note:
RFC 2560 requires that all OCSP responders digitally sign OCSP responses, and that OCSP requesters validate incoming signatures. - retry-count—Specify
the maximum number of times to retry an CRL source in the event of connection
failure.
The default is 1.
- Min: 0
- Max: 10
- dead-time—Specify
the quarantine period imposed on an unavailable CRL source.
The default is 0.
- Min: 0
- Max: 3600
- Type done to save your configuration.
- If necessary, configure additional cert-status-profile configuration elements.