config system certificate ocsp_stapling
Use this command to configure Online Certificate Status Protocol Stapling. You can enable OCSP stapling by importing an OCSP response or quote an OCSP profile.
In a stapling scenario, the certificate holder queries the OCSP server themselves at regular intervals, obtaining a signed time-stamped OCSP response. When the site's visitors attempt to connect to the site, this response is included ("stapled") with the TLS/SSL Handshake via the Certificate Status Request extension response. Note that the TLS client must explicitly include a Certificate Status Request extension in its Client Hello TLS/SSL handshake message.
OCSP_staping could be used in a local_certificate_group
, and the local certificate in OCSP stapling must be the local certificate in the local certificate group.
Syntax
config system certificate OCSP_stapling
edit <name>
set OCSP <datasource>
set OCSP-response-file <OCSP-response-filename>
set issuer-certificate <datasource>
set response-update-ahead-time <integrate>
set response-update-interval <integrate>
end
ocsp |
Quote from system certificate OCSP. |
ocsp-response |
A certificate containing the OCSP response from the OCSP server. |
issuer-certificate |
The issuer CA of the local certificate. |
response-update-ahead-time |
The default is 1h (1 hour). Valid values are Xh (hour), Xm (minute), and Xs (second). For example, 5m, 30s (=5 minute and 30 seconds). |
response-update-interval |
The number of seconds (200 ms by default) that FortiADC waits for a response from the OCSP responder. FortiADC will block the link once it times out. |
Example
config system certificate OCSP_stapling
edit "ocsp_staping"
set issuer-certificate cacert
set OCSP-response-file ocsp_staping.cer
next
end