To update the OCSP settings from the CLI:
- Log in your Lumeta Command Center via the CLI.
- Optionally, type
certificate?to display the certificate menu.
- At the command prompt, enter
certificate ocsp
The current OCSP settings display. - Lumeta provides 9 OCSP-related parameters you can update in the CLI. Three options take URLs (defaultresponder, proxyurl, staplingforceurl) and the others are Boolean and take true/false values.
CLI | Description | Default | ||
|---|---|---|---|---|
| 1 | enable | Enable/Disable OCSP validation of the client certificate chain. | false/off | When set to true/on, the responder checks the validity of user (not server) certificates and also the validity of the certificate chain (the signer of the cert, and the signer's signer, and so on). |
| 2 |
| Set/Unset the default responder URI for OCSP validation | none/commented | If no responder URI is specified in the certificate being verified, or if the override responder is set, then use this URI instead. |
| 3 |
| True/False Force use of default responder | false/off | Always use the default responder, even when the certificate has a different responder URI embedded in it. |
| 4 | respondercertificate | Install/Remove responder cert | install | Installs or removes the indicated responder certificate. |
| 5 |
| True/False Use a nonce within OCSP queries | true/on | To avoid a certain kind of attack, the browser will send a random string to the responder that the responder will include in its reply to verify that the response received is a reply to the actual request, and not a copy of some previous reply. Not all responders use this mechanism. |
| 6 |
| True/False Skip the OCSP responder certificates verification | false/off | Usually, the browser checks that it is communicating with the correct responder by verifying the responder certificate. This option controls whether to perform that check or not. |
| 7 |
| True/False Enable stapling of OCSP responses in the TLS handshake | false/off | OCSP stapling is a way to verify Lumeta server certificate validity without disclosing browser behavior to the CA. The Lumeta server, rather than the browser will communicate with the responder and keep the responses for as long as they are valid. |
| 8 |
| Set/Unset Proxy URL to use for OCSP requests | none/commented | Use a proxy to communicate with the OCSP responder. If the proxy server for normal requests is different from the proxy for OCSP, set this. |
| 9 |
| Set/Unset Override the OCSP responder URI specified in the certificate's AIA extension | none/commented | Similar to the override responder parameter, if this parameter is set, it is used for all Lumeta server certificate validation. Note: If you force stapling and set it to a URL is that is not a real responder, you will not be able to log in. |
Example:
admin@demo-cc-332> certificate ocsp defaultresponder https://10.9.0.56:80 overrideresponder true usenonce true noverify true usestapling true proxyurl https://10.9.0.111:80