ocsp url

Syntax

ocsp url {primary | secondary} <URL>

no ocsp url {primary | secondary}

Description

Configures the OSCP responder URLs that the current TA profile uses to verify the revocation status of an X.509 digital certificate. These URLs override the OSCP responder URL contained within the peer certificate being verified (as well as URLs defined in any intermediate CAs in the chain of trust).

If no OSCP responder URLs are defined for a TA profile (default setting), then the OSCP responder URL in the peer certificate is used for revocation status checking. (The OSCP responder URL is contained in a certificate's Authority Information Access field, which is an X.509 v3 certificate extension.)

The no form of this command deletes the specified OSCP responder URL (primary or secondary) from the current TA profile.

Command context

config-ta-<TA-NAME>

Parameters

{primary | secondary} <URL>
Specify the HTTP URL of the primary or secondary OSCP responder using either a fully qualified domain name or IPv4 address.

Authority

Administrators

Examples

Defining the primary OSCP URL for the TA profile my-root-cert:

switch(config)# crypto pki ta-profile my-root-cert
switch(config-ta-my-root-cert)# revocation-check ocsp
switch(config-ta-my-root-cert)# ocsp url primary http://ocsp-server.my-site.com

Removing the primary OSCP URL from the TA profile my-root-cert:

switch(config)# crypto pki ta-profile my-root-cert
switch(config-ta-my-root-cert)# revocation-check ocsp
switch(config-ta-my-root-cert)# no ocsp url primary