Fortinet black logo

CLI Reference

config system certificate ocsp_stapling

config system certificate ocsp_stapling

Use this command to configure Online Certificate Status Protocol Stapling. You can enable OCSP stapling by importing an OCSP response or quote an OCSP profile.

In a stapling scenario, the certificate holder queries the OCSP server themselves at regular intervals, obtaining a signed time-stamped OCSP response. When the site's visitors attempt to connect to the site, this response is included ("stapled") with the TLS/SSL Handshake via the Certificate Status Request extension response. Note that the TLS client must explicitly include a Certificate Status Request extension in its Client Hello TLS/SSL handshake message.

OCSP_staping could be used in a local_certificate_group, and the local certificate in OCSP stapling must be the local certificate in the local certificate group.

Syntax

config system certificate OCSP_stapling

edit <name>

set OCSP <datasource>

set OCSP-response-file <OCSP-response-filename>

set issuer-certificate <datasource>

set response-update-ahead-time <integrate>

set response-update-interval <integrate>

end

ocsp

Quote from system certificate OCSP.

ocsp-response

A certificate containing the OCSP response from the OCSP server.

issuer-certificate

The issuer CA of the local certificate.

response-update-ahead-time

The default is 1h (1 hour). Valid values are Xh (hour), Xm (minute), and Xs (second). For example, 5m, 30s (=5 minute and 30 seconds).

response-update-interval

The number of seconds (200 ms by default) that FortiADC waits for a response from the OCSP responder. FortiADC will block the link once it times out.

Example

config system certificate OCSP_stapling

edit "ocsp_staping"

set issuer-certificate cacert

set OCSP-response-file ocsp_staping.cer

next

end

config system certificate ocsp_stapling

config system certificate ocsp_stapling

Use this command to configure Online Certificate Status Protocol Stapling. You can enable OCSP stapling by importing an OCSP response or quote an OCSP profile.

In a stapling scenario, the certificate holder queries the OCSP server themselves at regular intervals, obtaining a signed time-stamped OCSP response. When the site's visitors attempt to connect to the site, this response is included ("stapled") with the TLS/SSL Handshake via the Certificate Status Request extension response. Note that the TLS client must explicitly include a Certificate Status Request extension in its Client Hello TLS/SSL handshake message.

OCSP_staping could be used in a local_certificate_group, and the local certificate in OCSP stapling must be the local certificate in the local certificate group.

Syntax

config system certificate OCSP_stapling

edit <name>

set OCSP <datasource>

set OCSP-response-file <OCSP-response-filename>

set issuer-certificate <datasource>

set response-update-ahead-time <integrate>

set response-update-interval <integrate>

end

ocsp

Quote from system certificate OCSP.

ocsp-response

A certificate containing the OCSP response from the OCSP server.

issuer-certificate

The issuer CA of the local certificate.

response-update-ahead-time

The default is 1h (1 hour). Valid values are Xh (hour), Xm (minute), and Xs (second). For example, 5m, 30s (=5 minute and 30 seconds).

response-update-interval

The number of seconds (200 ms by default) that FortiADC waits for a response from the OCSP responder. FortiADC will block the link once it times out.

Example

config system certificate OCSP_stapling

edit "ocsp_staping"

set issuer-certificate cacert

set OCSP-response-file ocsp_staping.cer

next

end