Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 7.1.1 CLI Reference
    7.1.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config system certificate ocsp

    config system certificate ocsp_stapling

    Use this command to configure Online Certificate Status Protocol Stapling. You can enable OCSP stapling by importing an OCSP response or quote an OCSP profile.

    In a stapling scenario, the certificate holder queries the OCSP server themselves at regular intervals, obtaining a signed time-stamped OCSP response. When the site's visitors attempt to connect to the site, this response is included ("stapled") with the TLS/SSL Handshake via the Certificate Status Request extension response. Note that the TLS client must explicitly include a Certificate Status Request extension in its Client Hello TLS/SSL handshake message.

    OCSP_staping could be used in a local_certificate_group, and the local certificate in OCSP stapling must be the local certificate in the local certificate group.

    Syntax

    config system certificate OCSP_stapling

    edit <name>

    set OCSP <datasource>

    set OCSP-response-file <OCSP-response-filename>

    set issuer-certificate <datasource>

    set local-certificate <datasource>

    set response-update-ahead-time <integrate>

    set response-update-interval <integrate>

    end

    ocsp

    Quote from system certificate OCSP.

    ocsp-response

    A certificate containing the OCSP response from the OCSP server.

    issuer-certificate

    The issuer CA of the local certificate.

    local-certificate

    The certificate used by FortiADC.

    response-update-ahead-time

    The default is 1h (1 hour). Valid values are Xh (hour), Xm (minute), and Xs (second). For example, 5m, 30s (=5 minute and 30 seconds).

    response-update-interval

    The number of seconds (200 ms by default) that FortiADC waits for a response from the OCSP responder. FortiADC will block the link once it times out.

    Example

    config system certificate OCSP_stapling

    edit "ocsp_staping"

    set local-certificate cert

    set issuer-certificate cacert

    set OCSP-response-file ocsp_staping.cer

    next

    end

    Previous
    Next

    config system certificate ocsp

    config system certificate ocsp_stapling

    Use this command to configure Online Certificate Status Protocol Stapling. You can enable OCSP stapling by importing an OCSP response or quote an OCSP profile.

    In a stapling scenario, the certificate holder queries the OCSP server themselves at regular intervals, obtaining a signed time-stamped OCSP response. When the site's visitors attempt to connect to the site, this response is included ("stapled") with the TLS/SSL Handshake via the Certificate Status Request extension response. Note that the TLS client must explicitly include a Certificate Status Request extension in its Client Hello TLS/SSL handshake message.

    OCSP_staping could be used in a local_certificate_group, and the local certificate in OCSP stapling must be the local certificate in the local certificate group.

    Syntax

    config system certificate OCSP_stapling

    edit <name>

    set OCSP <datasource>

    set OCSP-response-file <OCSP-response-filename>

    set issuer-certificate <datasource>

    set local-certificate <datasource>

    set response-update-ahead-time <integrate>

    set response-update-interval <integrate>

    end

    ocsp

    Quote from system certificate OCSP.

    ocsp-response

    A certificate containing the OCSP response from the OCSP server.

    issuer-certificate

    The issuer CA of the local certificate.

    local-certificate

    The certificate used by FortiADC.

    response-update-ahead-time

    The default is 1h (1 hour). Valid values are Xh (hour), Xm (minute), and Xs (second). For example, 5m, 30s (=5 minute and 30 seconds).

    response-update-interval

    The number of seconds (200 ms by default) that FortiADC waits for a response from the OCSP responder. FortiADC will block the link once it times out.

    Example

    config system certificate OCSP_stapling

    edit "ocsp_staping"

    set local-certificate cert

    set issuer-certificate cacert

    set OCSP-response-file ocsp_staping.cer

    next

    end

    Previous
    Next