ocsp enforcement-level

Description

Sets either strict or reduced enforcement of the OCSP check of certificates. Strict enforcement is enabled by default.

The no form of this command resets enforcement to its default of strict.

Command context

config-ta-<TA-NAME>

Parameters

strict

Sets strict OCSP checking of certificates. The certificate is accepted only if all possible checking (including validation failures, software system errors, configuration errors, transactional errors) is successful.

optional

Sets reduced OCSP checking of certificates. The certificate is accepted unless one or more of these validation errors occur:

• Response signature invalid.

• Nonce in response mismatch.

• Certificate revoked, but only when revocation checking is possible. if revocation check is not possible, the certificate is still accepted if there are no other validation errors.

Authority

Administrators or local user group members with execution rights for this command.

Examples

Setting reduced OCSP checking of certificates:

switch(config)# crypto pki ta-profile root-cert
switch(config-ta-root-cert)# ocsp enforcement-level optional

Setting strict OCSP checking of certificates:

switch(config)# crypto pki ta-profile root-cert
switch(config-ta-root-cert)# ocsp enforcement-level strict