OCSP CLI Parameters & Syntax

To update the OCSP settings from the CLI:

  1. Log in your Asset Manager Command Center via the CLI.
  2. Optionally, type certificate? to display the certificate menu.
  3. At the command prompt, enter certificate ocsp
    The current OCSP settings display.
  4. Asset Manager provides 9 OCSP-related parameters you can update in the CLI. Three options take URLs (defaultresponder, proxyurl, staplingforceurl) and the others are Boolean and take true/false values.

CLI

Description

Default


enable

Enable/Disable OCSP validation of the client certificate chain.

false/off When set to true/on, the responder checks the validity of user(not server) certificates and also the validity of the certificate chain (the signer of the cert, and the signer's signer, and so on).

defaultresponder

Set/Unset the default responder URI for OCSP validation

none/commented If no responder URI is specified in the certificate being verified, or if the override responder is set, then use this URI instead.

overrideresponder

True/False Force use of default responder

false/off Always use the default responder, even when the certificate has a different responder URI embedded in it.
respondercertificate Install/Remove responder cert install Installs or removes the indicated responder certificate.

usenonce

True/False Use a nonce within OCSP queries

true/on To avoid a certain kind of attack, the browser will send a random string to the responder that the responder will include in its reply to verify that the response received is a reply to the actual request, and not a copy of some previous reply. Not all responders use this mechanism.

noverify

True/False Skip the OCSP responder certificates verification

false/off Usually, the browser checks that it is communicating with the correct responder by verifying the responder certificate. This option controls whether to perform  that check or not.

usestapling

True/False Enable stapling of OCSP responses in the TLS handshake

false/off OCSP stapling is a way to verifyAsset Manager server certificate validity without disclosing browser behavior to the CA. The Asset Manager server, rather than the browser will communicate with the responder and keep the responses for as long as they are valid.

proxyurl

Set/Unset Proxy URL to use for OCSP requests

none/commented Use a proxy to communicate with the OCSP responder. If the proxy server for normal requests is different from the proxy for OCSP, set this.

staplingforceurl

Set/Unset Override the OCSP responder URI specified in the certificate's AIA extension

none/commented

Similar to the override responder parameter, if this parameter is set, it is used for all Asset Manager server certificate validation.

Note: If you force stapling and set it to a URL is that is not a real responder, you will not be able to log in.

Example:

admin@demo-cc-332> certificate ocsp defaultresponder https://10.9.0.56:80 overrideresponder true usenonce true noverify true usestapling true proxyurl https://10.9.0.111:80