ocsp (Security PKI)

Syntax

ocsp {connection-failure (disable | fallback-crl);disable-responder-revocation-check;nonce-payload (enable | disable);url ocsp-url;}

Hierarchy Level

[edit security pki ca-profile ca-profile-name revocation-check]

Release Information

Statement introduced in Junos OS Release 12.1X46-D20.

Description

Configure Online Certificate Status Protocol (OCSP) to check the revocation status of a certificate.

Options

connection-failure

—

(Optional) Specify action to take if there is a connection failure to the OCSP responder. If this option is not configured and there is no response from the OCSP responder, certificate validation will fail.

disable

—

Skip the revocation check if the OCSP responder is not reachable.

fallback-crl

—

Use CRL to check the revocation status of the certificate.

disable-responder-revocation-check

—

(Optional) Disable revocation check for the CA certificate received in an OCSP response. The certificates received in an OCSP response generally have shorter lifetimes and revocation check is not required.

nonce-payload

—

(Optional) Send a nonce payload to prevent replay attack. A nonce payload is sent by default unless it is explicitly disabled. If enabled, the SRX Series device expects OCSP responses to contain a nonce payload, otherwise the revocation check will fail. If OCSP responders are not capable of responding with a nonce payload, disable this option.

disable

—

Explicitly disable the sending of a nonce payload.

enable

—

Enable the sending of a nonce payload. This is the default.

url ocsp-url

—

Specify HTTP addresses for OCSP responders. A maximum of two HTTP URL addresses can be configured. If the configured URLs are not reachable, or URLs are not configured, the URL from the certificate being verified is checked.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.