Management::CertificateValidatorOCSP

Introduced : BIG-IP_v13.0.0
The CertificateValidatorOCSP interface enables you to manipulate the Online Certificate Status Protocol (OCSP) certificate validator. The OCSP certificate validator specifies the options needed for the TLS extension of certificate status request. This set of options is associated with a certificate file object.

Methods

Method Description Introduced
create Creates the specified OCSP certificate validators, using proxy address pool or DNS resolver. If proxy server pool is specified, the OCSP requests will be sent to a proxy server that in turn sends the requests to the OCSP responder. Otherwise, DNS resolver must be specified for the system to make external http requests. BIG-IP_v13.0.0
delete_all_ocsp_certificate_validators Deletes all OCSP certificate validators. BIG-IP_v13.0.0
delete_ocsp_certificate_validator Deletes a set of OCSP certificate validators. BIG-IP_v13.0.0
get_all_statistics Gets the statistics for all the OCSP certificate validators. BIG-IP_v13.0.0
get_cache_error_timeout Gets the cache error timeouts for the specified OCSP certificate validators. BIG-IP_v13.0.0
get_cache_timeout Gets the cache timeouts for the specified OCSP certificate validators. BIG-IP_v13.0.0
get_clock_skew Gets the maximum time skew between the OCSP responder and the system&aposs clocks for the specified OCSP certificate validators. BIG-IP_v13.0.0
get_concurrent_connections_limit Gets the maximum number of concurrent connections per OCSP responder. BIG-IP_v13.0.0
get_description Gets the descriptions for a set of OCSP certificate validators. BIG-IP_v13.0.0
get_dns_resolver Gets the DNS resolver for the specified OCSP certificate validators. BIG-IP_v13.0.0
get_list Gets a list of OCSP certificate validators. BIG-IP_v13.0.0
get_proxy_server_pool Gets the proxy server pools that the OCSP request will be forwarded to for the specified OCSP certificate validators. BIG-IP_v13.0.0
get_responder_url Gets the responder URL for the specified OCSP certificate validators. BIG-IP_v13.0.0
get_route_domain Gets the route domains corresponding to the connections made to the OCSP responders using DNS resolvers for the specified OCSP certificate validators. BIG-IP_v13.0.0
get_sign_hash Gets the hash algorithm used to sign the OCSP request for the specified OCSP certificate validators. BIG-IP_v13.0.0
get_signer_certificate Gets the signer certificates that are used to sign the OCSP request for the specified OCSP certificate validators. BIG-IP_v13.0.0
get_signer_key Gets the signer private keys that are used to sign the OCSP request for the specified OCSP certificate validators. BIG-IP_v13.0.0
get_statistics Gets the statistics for a list of OCSP certificate validators. BIG-IP_v13.0.0
get_status_age Gets the status age, in seconds, for the specified OCSP certificate validators. BIG-IP_v13.0.0
get_strict_responder_certificate_checking_state Gets the strict responder certificate checking states for the specified OCSP certificate validators. BIG-IP_v13.0.0
get_timeout Gets the timeout of the connection made to the OCSP responder for fetching the OCSP response. BIG-IP_v13.0.0
get_trusted_responder Gets the trusted responder certificates for the specified OCSP certificate validators. BIG-IP_v13.0.0
get_version Gets the version information for this interface. BIG-IP_v13.0.0
reset_statistics Resets the statistics for a list of OCSP certificate validators. BIG-IP_v13.0.0
set_cache_error_timeout Sets the cache error timeouts for the specified OCSP certificate validators. If the OCSP response indicates an error, the response will be cached for the duration specified in cache error timeout. BIG-IP_v13.0.0
set_cache_timeout Sets the cache timeouts, in seconds, for the specified OCSP certificate validators. The lifetime of OCSP response cache is set to the lower value of the validity of the response and the configured cache timeout. BIG-IP_v13.0.0
set_clock_skew Sets the maximum time skew between the OCSP responder and the system&aposs clocks for the specified OCSP certificate validators. Clock skew is the tolerable absolute difference in the clocks between the responder and the system. BIG-IP_v13.0.0
set_concurrent_connections_limit Sets the maximum number of concurrent connections per OCSP responder. The OCSP responder is identified from the AIA extension of the certificate, or the user-defined URL. If an OCSP responder has multiple concurrent connection limit values associated with it from different OCSP certificate validators, the lowest value will be taken into account. BIG-IP_v13.0.0
set_description Sets the description for a set of OCSP certificate validators. This is an arbitrary field which can be used for any purpose. BIG-IP_v13.0.0
set_dns_resolver Sets the DNS resolver for the specified OCSP certificate validators that is used to resolve the domain names of the OCSP responders&apos URLs so that the system can communicate with the OCSP responders. If a dns resolver is not set for an OCSP certificate validator, then a pool of proxy servers must be set using set_proxy_server_pool - in that case these proxy servers will communicate with the OCSP responder on behalf of the system. BIG-IP_v13.0.0
set_proxy_server_pool Sets the proxy server pool that the OCSP request will be forwarded to for the specified OCSP certificate validators so that these proxies can communicate with the OCSP responders on behalf of the system. A pool of proxy servers can be created using LocalLB::Pool. It is a pool of IP addresses of the proxies that can forward the OCSP requests from the system to the OCSP responders. If a pool is not set for an OCSP certificate validator, then a dns_resolver must be set using set_dns_resolver - in that case the system will communicate with the OCSP responder directly. BIG-IP_v13.0.0
set_responder_url Sets the responder URL for the specified OCSP certificate validators. The OCSP responder&aposs URL may be obtained from the certificate&aposs AIA extension(s), however if it is explicitly set using set_responder_url, the one listed in the AIA extension will be ignored. BIG-IP_v13.0.0
set_route_domain Sets the route domains corresponding to the connections made to the OCSP responders using DNS resolvers for the specified OCSP certificate validators. BIG-IP_v13.0.0
set_sign_hash Sets the hash algorithm used to sign the OCSP request for the specified OCSP certificate validators. BIG-IP_v13.0.0
set_signer_certificate Sets the signer certificates that are used to sign the OCSP request for the specified OCSP certificate validators. This method needs to be used with set_signer_key within one transaction - otherwise it will result in a missing signer certificate error. Therefore set_signer_certificate_key_passphrase is the more recommended alternative method which can set singer certificate, key, and passphrase simultaneously. BIG-IP_v13.0.0
set_signer_certificate_key_passphrase Sets the signer certificates, signer keys that are used to sign the OCSP request, and the passphrases that are used to decrypt the protected signer keys, for the specified OCSP certificate validators. BIG-IP_v13.0.0
set_signer_key Sets the signer private keys that are used to sign the OCSP request for the specified OCSP certificate validators. This method needs to be used with set_signer_certificate within one transaction, otherwise it will result in a missing signer certificate error. Therefore set_signer_certificate_key_passphrase is the more recommended alternative method which can set singer certificate, key, and passphrase simultaneously. BIG-IP_v13.0.0
set_signer_key_passphrase Sets the passphrases used to decrypt the protected signer keys of the specified OCSP certificate validators. set_signer_certificate_key_passphrase is the more recommended alternative method which can set singer certificate, key, and passphrase simultaneously. BIG-IP_v13.0.0
set_status_age Sets the status age, in seconds, for the specified OCSP certificate validators. This specifies the maximum allowed lag time for the &aposthisUpdate&apos time in the OCSP response that the system accepts. If this maximum is exceeded, the response is dropped. If this value is set to &apos0&apos, this validation is skipped. The default value is 86400 seconds. BIG-IP_v13.0.0
set_strict_responder_certificate_checking_state Sets the strict responder certificate checking states for the specified OCSP certificate validators. If enabled, the system explicitly checks that the response signer&aposs certificate is authorized for OCSP response signing, by checking for OCSP signing extension in the signer&aposs certificate. BIG-IP_v13.0.0
set_timeout Sets the timeout of the connection made to the OCSP responder for fetching the OCSP response. BIG-IP_v13.0.0
set_trusted_responder Sets the trusted responder certificates for the specified OCSP certificate validators. A trusted responder certificate of an OCSP certificate validator is the OCSP responder&aposs certifiate that we trust. This can help reduce and hence speed up the OCSP process - if it is set, the system will skip verifying the OCSP responder&aposs certificate if it is identical to the configured one - otherwise it will need to verify if the responder&aposs certificate is signed by the issuer of the certificate that is monitored by this OCSP certificate validator. BIG-IP_v13.0.0

Structures

Structure

Description

CertificateValidatorOCSPStatisticEntry

A struct that describes statistics for a specified OCSP certificate validator.

CertificateValidatorOCSPStatistics

A struct that describes OCSP certificate validator statistics and timestamp.


Enumerations

Enumeration Description
OCSPSignHash Specifies the hash algorithm used for signing the OCSP request.

Exceptions

Exception Description

Constants

Constant Type Value Description

Aliases

Alias Type Description
CertificateValidatorOCSPStatisticEntrySequence CertificateValidatorOCSPStatisticEntry [] A sequence of OCSP certificate validator statistics.
OCSPSignHashSequence OCSPSignHash [] A sequence of OCSP sign hash specifications.

See Also

Warning

The links to the sample code below are remnants of the old DevCentral wiki and will result in a 404 error. For best results, please copy the link text and search the codeshare directly on DevCentral.

Sample Code


The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.