Configuring OCSP

OCSP server information is configured under the corresponding ca-profile:

config>system>security>pki>ca-profile>
   ocsp
      responder-url <url-string>
      service <service-id>

The responder-url command specifies the HTTP URL of the OCSP responder. The service command specifies the routing instance that system used to access the OCSP responder.

Example:

config>system>security>pki>ca-profile>
   ocsp
      responder-url ‟http://ocsp.example.com/request”
      service 100

For an ipsec-tunnel or ipsec-gw, the user can configure a primary method, a secondary method and a default result.

config>service>ies>if>sap>ipsec-gw>
config>service>vprn>if>sap>ipsec-gw>
config>service>vprn>if>sap>ipsec-tun>dynamic-keying
   cert
      status-verify
         primary {ocsp | crl} secondary {ocsp | crl}
         default-result {revoked | good}

Example:

config>service>ies>if>sap>ipsec-gw>dynamic-keying
   cert
      status-verify
         primary ocsp secondary crl