OCSP server information is configured under the corresponding ca-profile:
config>system>security>pki>ca-profile>
ocsp
responder-url <url-string>
service <service-id>
The responder-url command specifies the HTTP URL of the OCSP responder. The service command specifies the routing instance that system used to access the OCSP responder.
Example:
config>system>security>pki>ca-profile>
ocsp
responder-url ‟http://ocsp.example.com/request”
service 100
For an ipsec-tunnel or ipsec-gw, the user can configure a primary method, a secondary method and a default result.
config>service>ies>if>sap>ipsec-gw>
config>service>vprn>if>sap>ipsec-gw>
config>service>vprn>if>sap>ipsec-tun>dynamic-keying
cert
status-verify
primary {ocsp | crl} secondary {ocsp | crl}
default-result {revoked | good}
Example:
config>service>ies>if>sap>ipsec-gw>dynamic-keying
cert
status-verify
primary ocsp secondary crl