Cisco Cisco TelePresence MCU 4510 Maintenance Manual
Configuring the OCSP Connection
1.
Go to Network > SSL certificates.
2.
Go to the Online certificate status protocol (OCSP) section.
3.
Select HTTPS certificates in the Certificates to check field.
When you click Apply changes, the OCSP check for HTTPS certificates will be enabled; if you select None
you will disable the check.
When you click Apply changes, the OCSP check for HTTPS certificates will be enabled; if you select None
you will disable the check.
4.
Enter the server address in the OCSP server field.
5.
Check the Require nonce checkbox if the server requires this extra level of security.
6.
Enter the Maximum clock skew of OCSP server, in seconds.
7.
Enter the Maximum age of OCSP server records, in days.
8.
Click Apply changes.
OCSP Details Reference
Online Certificate Status Protocol (OCSP) Field Descriptions
Certificates
to check
to check
None to disable OCSP checks or HTTPS client certificates to enable OCSP checks of HTTPS client
certificates' revocation status.
certificates' revocation status.
OCSP
server
server
The URL of the external OCSP server.
■
If the default port allocation is sufficient (port 80 for HTTP and port 443 for HTTPS) use one of
these formats, as appropriate: http://example.com; https://example.com;
http://example.com/examplepath; https://example.com/examplepath
these formats, as appropriate: http://example.com; https://example.com;
http://example.com/examplepath; https://example.com/examplepath
■
To send to a non-standard port number (port 88 is used in the examples here) use one of
these formats, as appropriate: http://example.com:88; https://example.com:88;
http://example.com:88/examplepath; https://example.com:88/examplepath
these formats, as appropriate: http://example.com:88; https://example.com:88;
http://example.com:88/examplepath; https://example.com:88/examplepath
Require
nonce
nonce
Determines whether OCSP queries must include a nonce extension (to prevent replay attacks).
■
If enabled, the MCU includes a nonce in each OCSP request, and requires the nonce to be
returned in the corresponding response. If the nonce is not returned, the associated
connection request is rejected.
returned in the corresponding response. If the nonce is not returned, the associated
connection request is rejected.
■
If disabled, the MCU does not send a nonce in OCSP requests.
Maximum
clock skew
of OCSP
server
clock skew
of OCSP
server
Specifies the maximum acceptable time (in seconds) for clock skew in OCSP responses. In this
context the skew is the divergence between the respective system clocks on the MCU and on the
OCSP server. If the skew exceeds this setting, then the OCSP responses may be treated as invalid.
context the skew is the divergence between the respective system clocks on the MCU and on the
OCSP server. If the skew exceeds this setting, then the OCSP responses may be treated as invalid.
Maximum
age of
OCSP
server
records
age of
OCSP
server
records
Specifies the maximum acceptable age (in days) for certificates. The certificate age is derived from
the response field 'thisUpdate' which indicates when the returned status was last known to be
correct. How this value is determined depends on the OCSP server configuration (often it is the last
time the server was updated with a new Certificate Revocation List).
the response field 'thisUpdate' which indicates when the returned status was last known to be
correct. How this value is determined depends on the OCSP server configuration (often it is the last
time the server was updated with a new Certificate Revocation List).
The MCU rejects any response where the value of 'thisUpdate' is later in the past than the time
derived by counting back from current time by the number of days specified here (after accounting
for clock skew).
derived by counting back from current time by the number of days specified here (after accounting
for clock skew).
Certificate Details Reference
Field
Description
229
Cisco TelePresence MCU Series Online Printable Help