sys crypto cert-validator ocsp
sys crypto cert-validator ocspBIG-IP TMSH Mansys crypto cert-validator ocsp(1)
NAME
ocsp - Configuration of the OCSP cert-validator.
MODULE
sys crypto
SYNTAX
Configure the ocsp component within the sys.crypto.cert-validator.ocsp
module using the syntax shown in the following sections. This object is
associated with a certificate object to enable an OCSP request for
updating the certificate status.
CREATE/MODIFY
create ocsp [name]
modify ocsp [name]
options:
cache-error-timeout [integer]
cache-timeout [indefinite | [integer] ]
concurrent-connections-limit [integer]
clock-skew [integer]
description [string]
dns-resolver [name]
proxy-server-pool [name]
responder-url [none | [string] ]
route-domain [name]
sign-hash [sha1 | sha256]
signer-cert [name]
signer-key [name]
signer-key-passphrase [none | [string] ]
status-age [integer]
strict-resp-cert-check [disabled | enabled]
timeout [indefinite | [integer] ]
trusted-responders [none | [name] ]
DISPLAY
list ocsp [name]
DELETE
delete [all | [name]]
options:
recursive
DESCRIPTION
You can use the ocsp component to create, modify, display or delete a
custom OCSP cert-validator.
The OCSP cert-validator is associated with a certificate object.
EXAMPLES
create cert-validator my_ocsp dns-resolver name
Creates an OCSP cert-validator named my_ocsp using the DNS resolver
specified by name.
OPTIONS
cache-error-timeout
Specifies the lifetime of an error response in the cache, in
seconds. The default value is 3600 seconds.
cache-timeout
Specifies the lifetime of the OCSP response in the cache, in
seconds. The actual time period for which the response is cached
is the minimum of the response validity period and the cache-
timeout. The default value is indefinite, indicating that the
response validity period takes precedence.
concurrent-connections-limit
Specifies the maximum number of connections per second allowed for
the OCSP cert-validator.
clock-skew
Specifies the tolerable absolute difference in the clocks of the
responder and the BIG-IP, in seconds. The default value is 300.
description
User defined description.
dns-resolver
Specifies the DNS resolver object used for fetching the OCSP
response.
partition
Displays the administrative partition within which this validator
resides.
proxy-server-pool
Specifies the proxy server pool used for fetching the OCSP
response.
responder-url
Specifies the absolute URL that overrides the OCSP responder URL
obtained from the certificate's AIA extension(s). This should be
an HTTP-based URL.
route-domain
Specifies the route domain for fetching an OCSP response using
HTTP forward proxy.
sign-hash
Specifies the hash algorithm used for signing the OCSP request.
The default value is sha256.
signer-cert
Specifies the certificate corresponding to the key used for
signing the OCSP request.
signer-key
Specifies the key used for signing the OCSP request.
signer-key-passphrase
Specifies the passphrase of the key used for signing the OCSP
request.
status-age
Specifies the maximum allowed lag time for the 'thisUpdate' time
in the OCSP response that the BIG-IP accepts. If this maximum is
exceeded, the response is dropped. If this value is set to 0, this
validation is skipped. The default value is 86400 seconds.
strict-resp-cert-check
If enabled, the responder's certificate is checked for an OCSP
signing extension. The default value is disabled.
timeout
Specifies the time interval (in seconds) that the BIG-IP waits for
before ending the connection to the OCSP responder. The default
value is 8.
trusted-responders
Specifies the certificates used for validating the OCSP response
when the responder's certificate has been omitted from the
response.
SEE ALSO
create, delete, list, modify, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2013-2016. All rights reserved.
BIG-IP 2017-01-20 sys crypto cert-validator ocsp(1)