Properties for the Online Certificate Status Protocol (OCSP).
URL to Consult Option
Sets the list and order of the OCSP
servers used to perform the revocation check. The default value
is UseAIAInCert. Select one of these values:
-
UseAIAInCert:
-
Use the URL of an online certificate status protocol server specified
in the Authority Information Access (AIA) extension in the certificate. The
AIA extension is used to identify how to access certificate authority
(CA) information and services for the issuer of the certificate.
-
LocalURL:
-
Use the specified URL for the OCSP server specified in the
OCSP Server URL option.
-
UseAIAIfPresentElseLocal:
-
Use the URL of the OCSP server specified in the AIA extension
in the certificate if present. If the AIA extension is not present
in the certificate, use the URL configured in the OCSP Server URL.
-
UseAIAInSignerCert:
-
Use the URL of the OCSP server specified in the AIA extension
in the signer certificate.
OCSP Server URL
Sets the URL of the configured OCSP server.
The value is only used when the LocalURL or UseAIAIfPresentElseLocal
values are in URL To Consult Option.
Revocation Check Style
Sets the revocation-checking style used for
verifying the trust status of the CRL provider’s certificate from
its observed revocation status. The default value is CheckIfAvailable.
Select one of these values:
-
NoCheck:
-
Does not check for revocation.
-
BestEffort:
-
Checks for revocation of all certificates when possible.
-
CheckIfAvailable:
-
Checks for revocation of all certificates only when revocation
information is available.
-
AlwaysCheck:
-
Checks for revocation of all certificates.
Max Clock Skew Time (minutes)
Sets the maximum allowed skew,
in minutes, between response time and local time. Valid skew times
are
0
-
2147483647
min. The default
value is
5
min.
Response Freshness Time (minutes)
Sets the maximum time, in minutes,
for which a preconstructed OCSP response is considered valid. Valid
response freshness times are
1
-
2147483647
min.
The default value is
525600
min. (one year).
Send Nonce
Select this option to send a nonce is with the OCSP
request. A
nonce
is a parameter that varies with time. These
parameters can be a timestamp, a visit counter on a web page, or
a special marker. The parameter is intended to limit or prevent
the unauthorized replay or reproduction of a file. When the option deselected,
a nonce is not sent with the request. By default, the option is selected.
Sign OCSP Request
Select this option to specify that the OCSP
request must be signed. When the option is deselected, the OCSP
request does not need be signed. By default, the option is deselected.
Request Signer Credential Alias
Sets the credential alias used
for signing the OCSP request when signing is enabled.
Go Online for OCSP
Select this option to access embedded
and cached OCSP responses on the LiveCycle server. The network can
be accessed to retrieve OCSP information for OCSP checking. Accessing
OCSP responses on the server helps to reduce the amount of network
traffic generated due to OCSP checking. When the option deselected,
OCSP checking is performed by accessing the LiveCycle server. By default,
the option is selected.
Ignore Validity Dates
Select this option to use the OCSP response
thisUpdate and nextUpdate times. Ignoring the response’s thisUpdate
and nextUpdate times prevents any negative effect on response validity.
The thisUpdate and nextUpdate times are retrieved from external
sources by using HTTP or LDAP and can be different for each revocation
information. When the option is deselected, the thisUpdate and nextUpdate
times are ignored. By default, the option deselected.
Allow OCSP NoCheck Extension
Select this option to allow an
OCSPNoCheck extension in the response signing certificate. An OCSPNoCheck
extension can be present in the OCSP Responder’s certificate to
prevent infinite loops from occurring during the validation process. When
the option deselected, the OCSPNoCheck extension is not allowed.
By default, the option is selected.
Require OCSP ISIS-MTT CertHash Extension
Select this option to
specify that certificate public key hash (CertHash) extensions must
be present in OCSP responses. This extension is required for SigQ validation.
SigQ compliance requires the CertHash extension to be in the OCSP responder
certificate. Select this option when processing for SigQ compliance and
supported OCSP responders. When the option is deselected, the CertHash extension
presence in the OCSP response is not required. By default, the option is
deselected.