sys crypto cert-validator ocspΒΆ

sys crypto cert-validator ocsp(1)		  BIG-IP TMSH Manual		    sys crypto cert-validator ocsp(1)

NAME
       ocsp - Configuration of the OCSP cert-validator.

MODULE
       sys crypto

SYNTAX
       Configure the ocsp component within the sys.crypto.cert-validator.ocsp module using the syntax shown in the
       following sections. This object is associated with a certificate object to enable an OCSP request for updating
       the certificate status.

   CREATE/MODIFY
	 create ocsp [name]
	 modify ocsp [name]
	   options:
	     cache-error-timeout [integer]
	     cache-timeout [indefinite | [integer] ]
	     concurrent-connections-limit [integer]
	     clock-skew [integer]
	     description [string]
	     dns-resolver [name]
	     proxy-server-pool [name]
	     responder-url [none | [string] ]
	     route-domain [name]
	     sign-hash [sha1 | sha256]
	     signer-cert [name]
	     signer-key [name]
	     signer-key-passphrase [none | [string] ]
	     status-age [integer]
	     strict-resp-cert-check [disabled | enabled]
	     timeout [indefinite | [integer] ]
	     trusted-responders [none | [name] ]

   DISPLAY
	 list ocsp [name]

   DELETE
	 delete  [all | [name]]
	   options:
	     recursive

DESCRIPTION
       You can use the ocsp component to create, modify, display or delete a custom OCSP cert-validator.

       The OCSP cert-validator is associated with a certificate object.

EXAMPLES
       create cert-validator my_ocsp dns-resolver name

       Creates an OCSP cert-validator named my_ocsp using the DNS resolver specified by name.

OPTIONS
       cache-error-timeout
	    Specifies the lifetime of an error response in the cache, in seconds. The default value is 3600 seconds.

       cache-timeout
	    Specifies the lifetime of the OCSP response in the cache, in seconds. The actual time period for which
	    the response is cached is the minimum of the response validity period and the cache-timeout. The default
	    value is indefinite, indicating that the response validity period takes precedence.

       concurrent-connections-limit
	    Specifies the maximum number of connections per second allowed for the OCSP cert-validator.

       clock-skew
	    Specifies the tolerable absolute difference in the clocks of the responder and the BIG-IP, in seconds.
	    The default value is 300.

       description
	    User defined description.

       dns-resolver
	    Specifies the DNS resolver object used for fetching the OCSP response.

       partition
	    Displays the administrative partition within which this validator resides.

       proxy-server-pool
	    Specifies the proxy server pool used for fetching the OCSP response.

       responder-url
	    Specifies the absolute URL that overrides the OCSP responder URL obtained from the certificate's AIA
	    extension(s). This should be an HTTP-based URL.

       route-domain
	    Specifies the route domain for fetching an OCSP response using HTTP forward proxy.

       sign-hash
	    Specifies the hash algorithm used for signing the OCSP request. The default value is sha256.

       signer-cert
	    Specifies the certificate corresponding to the key used for signing the OCSP request.

       signer-key
	    Specifies the key used for signing the OCSP request.

       signer-key-passphrase
	    Specifies the passphrase of the key used for signing the OCSP request.

       status-age
	    Specifies the maximum allowed lag time for the 'thisUpdate' time in the OCSP response that the BIG-IP
	    accepts. If this maximum is exceeded, the response is dropped. If this value is set to 0, this validation
	    is skipped. The default value is 86400 seconds.

       strict-resp-cert-check
	    If enabled, the responder's certificate is checked for an OCSP signing extension. The default value is
	    disabled.

       timeout
	    Specifies the time interval (in seconds) that the BIG-IP waits for before ending the connection to the
	    OCSP responder. The default value is 8.

       trusted-responders
	    Specifies the certificates used for validating the OCSP response when the responder's certificate has
	    been omitted from the response.

SEE ALSO
       create, delete, list, modify, tmsh

COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or by any means, electronic or
       mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
       other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2013-2016. All rights reserved.

BIG-IP						      2017-01-20		    sys crypto cert-validator ocsp(1)