APIRef_tm_ltm_auth_ocsp-responder¶
mgmt/tm/ltm/auth/ocsp-responder
Online Certificate System Protocol (OCSP) responder configuration
REST Endpoints
- Collection URI
/mgmt/tm/ltm/auth/ocsp-responder
- Collection Methods
OPTIONS, GET
- Resource URI
/mgmt/tm/ltm/auth/ocsp-responder/~resource id
- Resource Methods
OPTIONS, GET, PUT, PATCH, DELETE, POST
- Resource Natural Key
name, partition, subPath
Properties
Name | Type | Default Value | Required | Access | Description |
---|---|---|---|---|---|
allowCerts |
string | enabled | optional | read/write | Enables or disables the addition of certificates to an OCSP request. The default value is enabled. |
appService |
string | optional | read/write | The application service that the object belongs to. | |
caFile |
string | optional | read/write | Specifies the name of the file containing trusted CA certificates used to verify the signature on the OCSP response. | |
caPath |
string | optional | read/write | Specifies the name of the path containing trusted CA certificates used to verify the signature on the OCSP response. | |
certIdDigest |
string | sha1 | optional | read/write | Specifies a specific algorithm identifier, either sha1 or md5. sha1 is newer and provides more security with a 160 bit hash length. md5 is older and has only a 128 bit hash length. The default values is sha1. The cert ID is part of the OCSP protocol. The OCSP client (in this case, the BIG-IP system) calculates the cert ID using a hash of the Issuer and serial number for the certificate that it is trying to verify. |
chain |
string | enabled | optional | read/write | Specifies whether the system constructs a chain from certificates in the OCSP response. The default value is enabled. |
checkCerts |
string | enabled | optional | read/write | Enables or disables verification of an OCSP response certificate. Use this option for debugging purposes only. The default value is enabled. |
description |
string | optional | read/write | User defined description. | |
explicit |
string | enabled | optional | read/write | Specifies that the BIG-IP local traffic management system explicitly trusts that the OCSP response signer’s certificate is authorized for OCSP response signing. If the signer’s certificate does not contain the OCSP signing extension, specification of this option causes a response to be untrusted. The default value is enabled. |
ignoreAia |
string | disabled | optional | read/write | Specifies whether the system ignores the URL contained in the certificate’s AIA fields, and always uses the URL specified by the responder instead. The default value is disabled. |
intern |
string | enabled | optional | read/write | Specifies whether the system ignores certificates contained in an OCSP response when searching for the signer’s certificate. To use this setting, the signer’s certificate must be specified with either the verify-other or va-file option. The default value is enabled. |
nonce |
string | enabled | optional | read/write | Specifies whether the system verifies an OCSP response signature or the nonce values. The default value is enabled. |
tmPartition |
string | Common | optional | read/write | Displays the partition within which the server resides. |
signDigest |
string | sha1 | optional | read/write | Specifies the algorithm for signing the request, using the signing certificate and key. This parameter has no meaning if request signing is not in effect (that is, both the request signing certificate and request signing key parameters are empty). This parameter is required only when request signing is in effect. The default value is sha1. |
signKey |
string | optional | read/write | Specifies the key that the system uses to sign an OCSP request. The default value is none. | |
signKeyPassPhrase |
string | optional | read/write | Specifies the passphrase that the system uses to encrypt the sign key. The default value is none. | |
signOther |
string | optional | read/write | Adds a list of additional certificates to an OCSP request. | |
signer |
string | optional | read/write | Specifies a certificate used to sign an OCSP request. If the certificate is specified but the key is not specified, then the private key is read from the same file as the certificate. If neither the certificate nor the key is specified, then the request is not signed. If the certificate is not specified and the key is specified, then the configuration is considered to be invalid. | |
statusAge |
integer | 0 | optional | read/write | Specifies the age of the status of the OCSP responder. The default value is 0 (zero). |
trustOther |
string | disabled | optional | read/write | Instructs the BIG-IP local traffic management system to trust the certificates specified with the verify-other option. The default value is disabled. |
url |
string | optional | read/write | Specifies the URL used to contact the OCSP service on the responder. When using the ocsp responder command, you must specify a URL. | |
vaFile |
string | optional | read/write | Specifies the name of the file containing explicitly-trusted responder certificates. This parameter is needed in the event that the responder is not covered by the certificates already loaded into the responder’s CA store. | |
validityPeriod |
integer | 300 | optional | read/write | Specifies the number of seconds used to specify an acceptable error range. This option is used when the OCSP responder clock and a client clock are not synchronized, which could cause a certificate status check to fail. This value must be a positive number. The default value is 300 seconds. |
verify |
string | enabled | optional | read/write | Enables or disables verification of an OCSP response signature or the nonce values. Used for debugging purposes only. The default value is enabled. |
verifyCert |
string | enabled | optional | read/write | Specifies that the system makes additional checks to see if the signer’s certificate is authorized to provide the necessary status information. Use this option for testing purposes only. The default value is enabled. |
verifyOther |
string | optional | read/write | Specifies the name of the file used to search for an OCSP response signing certificate when the certificate has been omitted from the response. | |
verifySig |
string | enabled | optional | read/write | Specifies that the system checks the signature on the OCSP response. Use this option for testing purposes only. The default value is enabled. |
Copyright (c) 2016, F5 Networks Inc. All Rights Reserved.
The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.