APIRef_tm_ltm_auth_ocsp-responder

mgmt/tm/ltm/auth/ocsp-responder

/tm/ltm/auth

Online Certificate System Protocol (OCSP) responder configuration

REST Endpoints

Collection URI
/mgmt/tm/ltm/auth/ocsp-responder
Collection Methods
OPTIONS, GET
Resource URI
/mgmt/tm/ltm/auth/ocsp-responder/~resource id
Resource Methods
OPTIONS, GET, PUT, PATCH, DELETE, POST
Resource Natural Key
name, partition, subPath

Properties

Name Type Default Value Required Access Description
allowCerts string enabled optional read/write Enables or disables the addition of certificates to an OCSP request. The default value is enabled.
appService string   optional read/write The application service that the object belongs to.
caFile string   optional read/write Specifies the name of the file containing trusted CA certificates used to verify the signature on the OCSP response.
caPath string   optional read/write Specifies the name of the path containing trusted CA certificates used to verify the signature on the OCSP response.
certIdDigest string sha1 optional read/write Specifies a specific algorithm identifier, either sha1 or md5. sha1 is newer and provides more security with a 160 bit hash length. md5 is older and has only a 128 bit hash length. The default values is sha1. The cert ID is part of the OCSP protocol. The OCSP client (in this case, the BIG-IP system) calculates the cert ID using a hash of the Issuer and serial number for the certificate that it is trying to verify.
chain string enabled optional read/write Specifies whether the system constructs a chain from certificates in the OCSP response. The default value is enabled.
checkCerts string enabled optional read/write Enables or disables verification of an OCSP response certificate. Use this option for debugging purposes only. The default value is enabled.
description string   optional read/write User defined description.
explicit string enabled optional read/write Specifies that the BIG-IP local traffic management system explicitly trusts that the OCSP response signer’s certificate is authorized for OCSP response signing. If the signer’s certificate does not contain the OCSP signing extension, specification of this option causes a response to be untrusted. The default value is enabled.
ignoreAia string disabled optional read/write Specifies whether the system ignores the URL contained in the certificate’s AIA fields, and always uses the URL specified by the responder instead. The default value is disabled.
intern string enabled optional read/write Specifies whether the system ignores certificates contained in an OCSP response when searching for the signer’s certificate. To use this setting, the signer’s certificate must be specified with either the verify-other or va-file option. The default value is enabled.
nonce string enabled optional read/write Specifies whether the system verifies an OCSP response signature or the nonce values. The default value is enabled.
tmPartition string Common optional read/write Displays the partition within which the server resides.
signDigest string sha1 optional read/write Specifies the algorithm for signing the request, using the signing certificate and key. This parameter has no meaning if request signing is not in effect (that is, both the request signing certificate and request signing key parameters are empty). This parameter is required only when request signing is in effect. The default value is sha1.
signKey string   optional read/write Specifies the key that the system uses to sign an OCSP request. The default value is none.
signKeyPassPhrase string   optional read/write Specifies the passphrase that the system uses to encrypt the sign key. The default value is none.
signOther string   optional read/write Adds a list of additional certificates to an OCSP request.
signer string   optional read/write Specifies a certificate used to sign an OCSP request. If the certificate is specified but the key is not specified, then the private key is read from the same file as the certificate. If neither the certificate nor the key is specified, then the request is not signed. If the certificate is not specified and the key is specified, then the configuration is considered to be invalid.
statusAge integer 0 optional read/write Specifies the age of the status of the OCSP responder. The default value is 0 (zero).
trustOther string disabled optional read/write Instructs the BIG-IP local traffic management system to trust the certificates specified with the verify-other option. The default value is disabled.
url string   optional read/write Specifies the URL used to contact the OCSP service on the responder. When using the ocsp responder command, you must specify a URL.
vaFile string   optional read/write Specifies the name of the file containing explicitly-trusted responder certificates. This parameter is needed in the event that the responder is not covered by the certificates already loaded into the responder’s CA store.
validityPeriod integer 300 optional read/write Specifies the number of seconds used to specify an acceptable error range. This option is used when the OCSP responder clock and a client clock are not synchronized, which could cause a certificate status check to fail. This value must be a positive number. The default value is 300 seconds.
verify string enabled optional read/write Enables or disables verification of an OCSP response signature or the nonce values. Used for debugging purposes only. The default value is enabled.
verifyCert string enabled optional read/write Specifies that the system makes additional checks to see if the signer’s certificate is authorized to provide the necessary status information. Use this option for testing purposes only. The default value is enabled.
verifyOther string   optional read/write Specifies the name of the file used to search for an OCSP response signing certificate when the certificate has been omitted from the response.
verifySig string enabled optional read/write Specifies that the system checks the signature on the OCSP response. Use this option for testing purposes only. The default value is enabled.
Copyright (c) 2016, F5 Networks Inc. All Rights Reserved.

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.