ocsp url


ocsp url {primary | secondary} <URL>

no ocsp url {primary | secondary}


Configures the OCSP responder URLs that the current TA profile uses to verify the revocation status of an X.509 digital certificate. These URLs override the OCSP responder URL contained within the peer certificate being verified (as well as URLs defined in any intermediate CAs in the chain of trust).

If no OCSP responder URLs are defined for a TA profile (default setting), then the OCSP responder URL in the peer certificate is used for revocation status checking. (The OCSP responder URL is contained in a certificate's Authority Information Access field, which is an X.509 v3 certificate extension.)

The no form of this command deletes the specified OCSP responder URL (primary or secondary) from the current TA profile.

Command context



{primary | secondary} <URL>
Specify the HTTP URL of the primary or secondary OCSP responder using either a fully qualified domain name or IPv4 address.


Administrators or local user group members with execution rights for this command.


Defining the primary OCSP URL for the TA profile root-cert:

switch(config)# crypto pki ta-profile root-cert
switch(config-ta-root-cert)# revocation-check ocsp
switch(config-ta-root-cert)# ocsp url primary http://ocsp-server.site.com

Removing the primary OCSP URL from the TA profile root-cert:

switch(config)# crypto pki ta-profile oot-cert
switch(config-ta-root-cert)# revocation-check ocsp
switch(config-ta-root-cert)# no ocsp url primary