To configure the HTTP URL of the Online Certificate Status Protocol (OCSP) for the trust point CA, use the ocsp url command in trust point configuration submode. To discard the OCSP configuration, use the no form of the command.
ocsp url url
no ocsp url url
Specifies the OCSP URL. The maximum size is 512 characters.
Trust point configuration submode.
This command was introduced.
The MDS switch uses the OCSP protocol to check the revocation status of a peer certificate (presented to it during the security or authentication exchange for IKE or SSH, for example), only if the revocation checking methods configured for the trust point include OCSP as one of the methods. OCSP checks the certificate revocation status against the latest CRL on the CA using the online protocol, which generate network traffic and also requiring that the OCSP service of the CA be available online in the network.
If revocation checking is performed by the cached CRL at the MDS switch, no network traffic is generated. The cached CRL does not contain the latest revocation information.
You must authenticate the CA for the trust point before configuring the OCSP URL for it.
The following example shows how to specify the URL for OCSP to use to check for revoked certificates:
switch# config terminal switch(config)# crypto ca trustpoint admin-ca switch(config-trustpoint)# ocsp url http://admin-ca.cisco.com/ocsp
The following example shows how to remove the URL for OCSP:
switch(config-trustpoint)# no ocsp url http://admin-ca.cisco.com/ocsp