Cisco Cisco TelePresence MCU 4510 Administrator's Guide
OCSP details reference
Online certificate status protocol (OCSP) field descriptions
Certificates
to check
to check
None to disable OCSP checks or HTTPS client certificates to enable OCSP checks of HTTPS client
certificates' revocation status.
certificates' revocation status.
OCSP
server
server
The URL of the external OCSP server.
n
If the default port allocation is sufficient (port 80 for HTTP and port 443 for HTTPS) use one of
these formats, as appropriate: http://example.com; https://example.com;
http://example.com/examplepath; https://example.com/examplepath
these formats, as appropriate: http://example.com; https://example.com;
http://example.com/examplepath; https://example.com/examplepath
n
To send to a non-standard port number (port 88 is used in the examples here) use one of these
formats, as appropriate: http://example.com:88; https://example.com:88;
http://example.com:88/examplepath; https://example.com:88/examplepath
formats, as appropriate: http://example.com:88; https://example.com:88;
http://example.com:88/examplepath; https://example.com:88/examplepath
Require
nonce
nonce
Determines whether OCSP queries must include a nonce extension (to prevent replay attacks).
n
If enabled, the MCU includes a nonce in each OCSP request, and requires the nonce to be
returned in the corresponding response. If the nonce is not returned, the associated connection
request is rejected.
returned in the corresponding response. If the nonce is not returned, the associated connection
request is rejected.
n
If disabled, the MCU does not send a nonce in OCSP requests.
Maximum
clock skew
of OCSP
server
clock skew
of OCSP
server
Specifies the maximum acceptable time (in seconds) for clock skew in OCSP responses. In this
context the skew is the divergence between the respective system clocks on the MCU and on the
OCSP server. If the skew exceeds this setting, then the OCSP responses may be treated as invalid.
context the skew is the divergence between the respective system clocks on the MCU and on the
OCSP server. If the skew exceeds this setting, then the OCSP responses may be treated as invalid.
Maximum
age of
OCSP
server
records
age of
OCSP
server
records
Specifies the maximum acceptable age (in days) for certificates. The certificate age is derived from
the response field 'thisUpdate' which indicates when the returned status was last known to be
correct. How this value is determined depends on the OCSP server configuration (often it is the last
time the server was updated with a new Certificate Revocation List).
the response field 'thisUpdate' which indicates when the returned status was last known to be
correct. How this value is determined depends on the OCSP server configuration (often it is the last
time the server was updated with a new Certificate Revocation List).
The MCU rejects any response where the value of 'thisUpdate' is later in the past than the time
derived by counting back from current time by the number of days specified here (after accounting
for clock skew).
derived by counting back from current time by the number of days specified here (after accounting
for clock skew).
Certificate details reference
Field
Description
Subject The business to which the certificate has been issued:
n
C Country where the business is registered
n
ST State or province where the business is located
n
L Locality or city where the business is located
n
O Legal name of the business
n
OU Organizational unit or department
n
CN Certificate common name, or the domain name
Issuer
The issuer of the certificate. Where the certificate has been self-issued, these details are the same as
for Subject.
for Subject.
Issued
Date on which the certificate was issued.
Expires Date on which the certificate will expire.
Cisco TelePresence MCU Series Administrator Guide
Page 258 of 300
Advanced topics
Configuring SSL certificates