Configuring OCSP

Online Certificate Status Protocol (OCSP) is a service provided by a CA to verify the validity of a digital certificate in real time. A client can send a request to the OCSP server of the CA to check whether the certificate has been revoked.

Application Scenario

OCSP is applicable to scenarios where the certificate status is sensitive. Especially in scenarios where certificates are frequently revoked (such as enterprise environments) or high security is required (such as finance and government), OCSP can verify the validity of certificates in real time.

Enable OCSP: If OCSP is enabled for a private CA, the private certificate extension issued by the private CA contains the OCSP access address.
Disable OCSP: If OCSP is disabled for a private CA, the private certificate extension issued by the private CA does not contain the OCSP access address.

Prerequisites

The private CA for which you want to configure OCSP is in the Activated or Disabled state.

Procedure

Log in to the CCM console.
In the navigation pane on the left, choose Private Certificate Management > Private CAs.
In the private CA list, select the CA Name of the private CA for which you want to configure OCSP.

On the private CA details page, click the OCSP Configuration tab and configure the verification protocol for certificate revocation status, as shown in Figure 1. Table 1 describes the parameters.

Figure 1 OCSP configuration

**Table 1** Configuration parameters
Parameter	Description
Status	Indicates the private CA OCSP status. The value can be: Enabled: The private CA OCSP is enabled. Disabled: The private CA OCSP is disabled.
OCSP Access Address	Indicates the server address provided by the CA, that is, the OCSP server URL, which is used to query whether a digital certificate has been revoked in real time.

Enables or disables OCSP.
- Click Enable. If Enabled is displayed, OCSP is enabled successfully.
- Click Disable. If Disabled is displayed, OCSP is disabled successfully.