sys crypto cert-validator ocsp
sys crypto cert-validator ocsp(1) BIG-IP TMSH Manual sys crypto cert-validator ocsp(1)
NAME
ocsp - Configuration of the OCSP cert-validator.
MODULE
sys crypto
SYNTAX
Configure the ocsp component within the sys.crypto.cert-validator.ocsp module using the syntax shown in the
following sections. This object is associated with a certificate object to enable an OCSP request for updating
the certificate status.
CREATE/MODIFY
create ocsp [name]
modify ocsp [name]
options:
cache-error-timeout [integer]
cache-timeout [indefinite | [integer] ]
concurrent-connections-limit [integer]
clock-skew [integer]
description [string]
dns-resolver [name]
proxy-server-pool [name]
responder-url [none | [string] ]
route-domain [name]
sign-hash [sha1 | sha256]
signer-cert [name]
signer-key [name]
signer-key-passphrase [none | [string] ]
status-age [integer]
strict-resp-cert-check [disabled | enabled]
timeout [indefinite | [integer] ]
trusted-responders [none | [name] ]
DISPLAY
list ocsp [name]
DELETE
delete [all | [name]]
options:
recursive
DESCRIPTION
You can use the ocsp component to create, modify, display or delete a custom OCSP cert-validator.
The OCSP cert-validator is associated with a certificate object.
EXAMPLES
create cert-validator my_ocsp dns-resolver name
Creates an OCSP cert-validator named my_ocsp using the DNS resolver specified by name.
OPTIONS
cache-error-timeout
Specifies the lifetime of an error response in the cache, in seconds. The default value is 3600 seconds.
cache-timeout
Specifies the lifetime of the OCSP response in the cache, in seconds. The actual time period for which
the response is cached is the minimum of the response validity period and the cache-timeout. The default
value is indefinite, indicating that the response validity period takes precedence.
concurrent-connections-limit
Specifies the maximum number of connections per second allowed for the OCSP cert-validator.
clock-skew
Specifies the tolerable absolute difference in the clocks of the responder and the BIG-IP, in seconds.
The default value is 300.
description
User defined description.
dns-resolver
Specifies the DNS resolver object used for fetching the OCSP response.
partition
Displays the administrative partition within which this validator resides.
proxy-server-pool
Specifies the proxy server pool used for fetching the OCSP response.
responder-url
Specifies the absolute URL that overrides the OCSP responder URL obtained from the certificate's AIA
extension(s). This should be an HTTP-based URL.
route-domain
Specifies the route domain for fetching an OCSP response using HTTP forward proxy.
sign-hash
Specifies the hash algorithm used for signing the OCSP request. The default value is sha256.
signer-cert
Specifies the certificate corresponding to the key used for signing the OCSP request.
signer-key
Specifies the key used for signing the OCSP request.
signer-key-passphrase
Specifies the passphrase of the key used for signing the OCSP request.
status-age
Specifies the maximum allowed lag time for the 'thisUpdate' time in the OCSP response that the BIG-IP
accepts. If this maximum is exceeded, the response is dropped. If this value is set to 0, this validation
is skipped. The default value is 86400 seconds.
strict-resp-cert-check
If enabled, the responder's certificate is checked for an OCSP signing extension. The default value is
disabled.
timeout
Specifies the time interval (in seconds) that the BIG-IP waits for before ending the connection to the
OCSP responder. The default value is 8.
trusted-responders
Specifies the certificates used for validating the OCSP response when the responder's certificate has
been omitted from the response.
SEE ALSO
create, delete, list, modify, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2013-2016. All rights reserved.
BIG-IP 2017-01-20 sys crypto cert-validator ocsp(1)