OCSP-Based Certificate Verification Configuration

Access the cert-status-profile configuration element.

ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# cert-status-profile
ORACLE(cert-status-profile)#

name—Provide a unique name for this profile.

type—Select the certificate revocation check method.

Available values are:

OCSP
CRL

Specify either the IP address or the hostname of the CRL source.

ip-address—Specify the IP address of the CRL source.
host-name—Specify the hostname of the CRL source

Note:

If values are provided for both attributes, the OCSBC uses the IP address and ignores the host-name value.

realm-id—Specify the realm used to transmit OCSP requests and receive OCSP responses.

In the absence of an explicitly configured value, the OCSBC provides a default value of wancom0, specifying OCSP protocol transmissions across the wancom0 management interface.

requester-cert—Specify the certificate used to sign requests.

Ignore this attribute if requests are not signed. If a signed request is required by the OCSP responder, provide the name of the certificate configuration element that contains the certificate used to sign OCSP requests.

responder-cert—Identifies the certificate used to validate signed OCSP response (a public key of the OCSP responder).

Note:

RFC 2560 requires that all OCSP responders digitally sign OCSP responses, and that OCSP requesters validate incoming signatures.

retry-count—Specify the maximum number of times to retry an CRL source in the event of connection failure.

The default is 1.

Min: 0
Max: 10

dead-time—Specify the quarantine period imposed on an unavailable CRL source.

The default is 0.

Min: 0
Max: 3600

Type done to save your configuration.

If necessary, configure additional cert-status-profile configuration elements.