ocsp disable-nonce

Description

Configures exclusion of the nonce from OCSP requests. A nonce is a unique identifier that an OCSP client inserts in an OCSP request and expects the OCSP responder to include it in the corresponding OCSP response. The nonce mechanism helps prevent replay attacks in which a malicious player attempts to masquerade as the OCSP responder. Although the nonce is included by default, it can be excluded. Some OCSP responders choose to not support the use of the nonce due to performance considerations.

The no form of this command re-enables nonce inclusion in OCSP requests.

Command context

config-ta-<TA-NAME>

Authority

Administrators or local user group members with execution rights for this command.

Examples

Disable inclusion of the nonce in OCSP requests for TA profile root-cert:

switch(config)# crypto pki ta-profile root-cert
switch(config-ta-root-cert)# ocsp disable-nonce

Enable inclusion of the nonce in OCSP requests for TA profile root-cert:

switch(config)# crypto pki ta-profile root-cert
switch(config-ta-root-cert)# no ocsp disable-nonce