Use this dialog box to specify Online Certificate Status Protocol (OCSP) settings that verify the SSL/TLS server certificate chain. OCSP is an Internet protocol used to obtain the revocation status of an X.509 digital certificate. It is an alternative to Certificate Revocation Lists (CRLs), and is often implemented in a Public Key Infrastructure (PKI).
An OCSP server, also called a responder, may return a signed response signifying that the certificate specified in the request is good, revoked, or unknown. If it cannot process the request, it may return an error code.
Enable OCSP
Select this option to enable and configure Online Certificate Status Protocol options. In addition to the options you select here, the OCSP responder's signing certificate must be in the list of trusted certificates (imported using the Administer Terminal Emulator Applet Trusted Certificate List on the Certificates tab in the Security Setup section of the Administrative WebStation), or signed by an already trusted certificate. If the OCSP responder's signing certificate is not the same as that of the Certificate Authority (CA) that signed the server certificate, the revocation status of the OCSP responder's signing certificate will be checked unless the ocsp-no-check extension is present.
Use Authority Information Access extension in the certificates
The Authority Information Access (AIA) extension indicates how to access Certificate Authority information and services for the issuer of the certificate in which the extension appears. When this option is enabled, the OCSP server URL specified in the Authority Information Access extension of a certificate is used to check the certificate revocation status using the Online Certificate Status Protocol.
Verify that the certificate and response are signed by the same private key
If enabled, the OCSP signing certificate must be signed by the same private key that signed the SSL/TLS server certificate.
Use OCSP responders
Specify the URLs (one per line) of the OCSP responders you want to use. HTTP URLs are supported.
Example: http://ocsp.example.com
Verify that the OCSP response is signed by a designated OCSP responder
If you select this option, you can use the methods included below
to verify the revocation status of the OCSP responder's signing certificate.
The extended KeyUsage must have the unique OCSP bit set in the OCSP signing certificate.
|
Use CRL Distribution Points extension |
A CRL
distribution point is a location where you can download the latest CRL.
The CRL distribution points extension identifies how CRL information is obtained.
If selected, the CRL distribution points extension is used to verify the certificate status
of the OCSP responder. |
|
|
Use Authority Information Access extension |
When enabled, the
Authority Information Access extension
in the OCSP responder's signing certificate
is used to verify the certificate status of the OCSP responder. |
|
|
Use CRLs |
To use Certificate Revocation Lists as part of the verification,
also specify the CRL URLs (one per line) to be used. LDAP, File, and HTTP protocols are supported. Examples: ldap://myCAServer.example.com/CA/certificaterevocationlist
file://localhost/c:/crls/TrustAnchorCRL.crl
http://server1.example.com/CertEnroll/server1.example.com.crl
|
|
|
Use OCSP responders |
Specify the URLs (one per line) of the OCSP responders you want to use. HTTP protocols are supported. Example: http://ocsp.example.com |