ocsp (Security PKI)
Syntax
ocsp {
connection-failure (disable | fallback-crl);
disable-responder-revocation-check;
nonce-payload (enable | disable);
url ocsp-url;
}
Hierarchy Level
[edit security pki ca-profile ca-profile-name revocation-check]
Description
Configure Online Certificate Status Protocol (OCSP) to check the revocation status of a certificate.
Options
| connection-failure | (Optional) Specify action to take if there is a connection failure to the OCSP responder. If this option is not configured and there is no response from the OCSP responder, certificate validation will fail.
|
||||
| disable-responder-revocation-check | (Optional) Disable revocation check for the CA certificate received in an OCSP response. The certificates received in an OCSP response generally have shorter lifetimes and revocation check is not required. |
||||
| nonce-payload | (Optional) Send a nonce payload to prevent replay attack. A nonce payload is sent by default unless it is explicitly disabled. If enabled, the SRX Series Firewall expects OCSP responses to contain a nonce payload, otherwise the revocation check will fail. If OCSP responders are not capable of responding with a nonce payload, disable this option.
|
||||
| url ocsp-url | Specify HTTP addresses for OCSP responders. A maximum of two HTTP URL addresses can be configured. If the configured URLs are not reachable, or URLs are not configured, the URL from the certificate being verified is checked. |
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 12.1X46-D20.