OCSP Response Stapling
The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of an
identified certificate. This protocol specifies the data that needs to be exchanged between an application
checking the status of a certificate and the server providing that status. An OCSP client issues a status request
to an OCSP responder and suspends acceptance of the certificate until a response is received. An OCSP
response at a minimum consists of a responseStatus field that indicates the processing status of the a request.
For the public key algorithms, the key format consists of a sequence of one or more X.509v3 certificates
followed by a sequence of zero or more OCSP responses.
The X.509v3 Certificate for SSH Authentication feature uses OCSP Response Stapling. By using OCSP
response stapling, a device obtains the revocation information of its own certificate by contacting the OCSP
server and then stapling the result along with its certificates and sending the information to the peer rather
than having the peer contact the OCSP responder.
How to Configure X.509v3 Certificates for SSH Authentication
Configuring Digital Certificates for Server Authentication
SUMMARY STEPS
1. enable
2. configure terminal
3. ip ssh server algorithm hostkey {x509v3-ssh-rsa [ssh-rsa] | ssh-rsa [x509v3-ssh-rsa]}
4. ip ssh server certificate profile
5. server
6. trustpoint sign PKI-trustpoint-name
7. ocsp-response include
8. end
DETAILED STEPS
Command or Action
Step 1
enable
Example:
Switch> enable
Step 2
configure terminal
Example:
Switch# configure terminal
Purpose
Enables privileged EXEC mode.
Enters global configuration mode.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
How to Configure X.509v3 Certificates for SSH Authentication
• Enter your password if prompted.
1119