Configuring the Mobility Master or Managed Device as an OCSP Responder

When configured as an OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responder, the Mobility Master or the managed device provides revocation status information to ArubaOS applications that use CRLs.

You can configure Mobility Master or Managed Device as an OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responder using the WebUI or the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the WebUI

Perform the following steps to configure the Mobility Master as an OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL.  responder:

  1. In the Mobility Master node hierarchy, navigate to the Configuration > System > Certificates tab.
  2. Expand the Import Certificates accordion.
  3. Click + in the Import Certificates section.
  4. Enter the following certificate details in the New Certificate section:
    1. Enter a name in the Certificate name text box. This name identifies the certificate you are importing.
    2. Enter the certificate filename in the Certificate filename text box. Click the Browse button to enter the full pathname.
    3. Enter a password in the Optional passphrase text box. The password is optional.
    4. If you opted for using the optional password (in step c), re-enter the password in the Retype passphrase text box.
    5. Select a certificate format from the Certificate format drop-down list. You can import certificates of format DER, P12, PEM, PFX, PKCS12, and PKCS7.
    6. Select OCSPSignerCert from the Certificate type drop-down list.
  5. Click Submit. The certificate appears in the Import Certificates section.
  6. For detailed information about an imported certificate, click the certificate from the certificate list.
  7. Click the Revocation Checkpoint accordion menu.
    1. Click the Enable OCSP responder toggle switch to enable this setting.
    2. Enable OCSP responder is a global option that turns the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responder service on or off on the Mobility Master or the managed device. The default is disabled (off). Enabling this option automatically adds the OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responder port (TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. 8084) to the permit list in the CP firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. so this can be accessed from outside the Mobility Master or the managed device.
    3. Select the OCSPSignerCert to be used to sign OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responses for this revocation checkpoint from the OCSP certificates drop-down list .
    4. In the Revocation Checkpoint section, click the record for which you want to configure the revocation checkpoint. The Revocation Checkpoint > <RCP name> section is displayed.
    5. Select ocsp from the Revocation method 1 drop-down list as the primary check method. Optionally, select a backup check method from the Revocation method 2 drop-down list.
    6. In the CRL location text box, enter the CRL Certificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. you want used for this revocation checkpoint. The CRLs listed are files that have already been imported onto the Mobility Master or the managed device.
    7. Click the Enable OCSP responder toggle switch to enable this setting.
    8. Select OCSPSignerCert from the OCSP signer cert drop-down list.
  8. Click Submit.
  9. Click Pending Changes.
  10. In the Pending Changes window, select the check box indicating the pending change and click Deploy Changes.

In the CLI

Run the following commands to configure the Mobility Master or the managed device as an OCSP Online Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responder.

(host)[mynode](config) #crypto-local pki service-ocsp-responder

(host)[mynode](config) #crypto-local pki rcp <name>

(host)[mynode](config-submode) #ocsp-signer-cert oscsp_CA1

(host)[mynode](config-submode) #crl-location file <filename>

(host)[mynode](config-submode) #enable-ocsp-responder