NOTE: If you have an IPv6 address in the URL, then enclose this address in square brackets. For example, http://[1100::203]:6514.Configuring OCSP behaviorYou can configure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders.To configure this behavior, follow this step:In CONFIGURATION mode, enter the following command:crypto x509 ocsp {[nonce] [sign-request]}Both the none and sign-request parameters are optional. The default behavior is to not use these two options. If your OCSPresponder uses pre-computed responses, you cannot use the none feature in the switch's communcations with the responder. If yourOCSP responder requires signed requests, you can use the sign-requests option.Configuring Revocation BehaviorYou can configure the system behavior if an OCSP responder fails.By default, when all the OCSP responders fail to send a response to an OSCP request, the system accepts the certificate and logs theevent. However, you can configure the system to reject the certificate in case OCSP responders fail.To configure OCSP revocation settings:In CONFIGURATION mode, enter the following command:crypto x509 revocation ocsp [accept | reject]The default behavior is to accept certificates if either an OCSP responder is unavailable or if no responder is identified.Configuring OSCP responder preferenceYou can configure the preference or order that the CA or a device follows while contacting multiple OCSP responders.Enter the following command in Certificate mode:ocsp-server preferVerifying certificatesA CA certificate’s public key is used to decrypt a presented certificate’s signature to obtain a hash value.The rest of the presented certificate is also hashed and if the two hashes match then the certificate is considered valid.During verification, the system checks the presented certificates for revocation information. The system also enables you to configurebehavior in case a certificate’s revocation status cannot be verified; for example, when the OCSP responder is unreachable you can altersystem behavior to accept or reject the certificate depending on configuration. The default behavior is to accept the certificates. Thesystem also logs the events where the OSCP responders fail or invalid OSCP responses are received.NOTE: A CA certificate can also berevoked.1080 X.509v3