ocsp enforcement-level
Syntax
ocsp enforcement-level {strict | optional}
no enforcement-level
Description
Sets either strict or reduced enforcement of the OCSP check of certificates. Strict enforcement is enabled by default.
The
no
form of this command resets enforcement to its default of
strict
.
Command context
config-ta-<TA-NAME>
Parameters
strict
- Sets strict OCSP checking of certificates. The certificate is accepted only if all possible checking (including validation failures, software system errors, configuration errors, transactional errors) is successful.
optional
- Sets reduced OCSP checking of certificates. The certificate is accepted unless one or more of these validation errors occur:
Response signature invalid.
Nonce in response mismatch.
Certificate revoked, but only when revocation checking is possible. if revocation check is not possible, the certificate is still accepted if there are no other validation errors.
Authority
Administrators
Examples
Setting reduced OCSP checking of certificates:
switch(config)# crypto pki ta-profile root-cert switch(config-ta-root-cert)# ocsp enforcement-level optional
Setting strict OCSP checking of certificates:
switch(config)# crypto pki ta-profile root-cert switch(config-ta-root-cert)# ocsp enforcement-level strict