ocsp url
Syntax
ocsp url {primary | secondary} <URL>
no ocsp url {primary | secondary}
Description
Configures the OSCP responder URLs that the current TA profile uses to verify the revocation status of an X.509 digital certificate. These URLs override the OSCP responder URL contained within the peer certificate being verified (as well as URLs defined in any intermediate CAs in the chain of trust).
If no OSCP responder URLs are defined for a TA profile (default setting), then the OSCP responder URL in the peer certificate is used for revocation status checking. (The OSCP responder URL is contained in a certificate's Authority Information Access field, which is an X.509 v3 certificate extension.)
The
no
form of this command deletes the specified OSCP responder URL (primary or secondary) from the current TA profile.
Command context
config-ta-<TA-NAME>
Parameters
{primary | secondary} <URL>
- Specify the HTTP URL of the primary or secondary OSCP responder using either a fully qualified domain name or IPv4 address.
Authority
Administrators
Examples
Defining the primary OSCP URL for the TA profile my-root-cert:
switch(config)# crypto pki ta-profile my-root-cert switch(config-ta-my-root-cert)# revocation-check ocsp switch(config-ta-my-root-cert)# ocsp url primary http://ocsp-server.my-site.com
Removing the primary OSCP URL from the TA profile my-root-cert:
switch(config)# crypto pki ta-profile my-root-cert switch(config-ta-my-root-cert)# revocation-check ocsp switch(config-ta-my-root-cert)# no ocsp url primary