Enabling OCSP

(Optional) Enable OCSP (Online Certificate Status Protocol) to determine the status of a certificate used to authenticate a subject: current, expired, or unknown. OCSP configuration is enabled as part of cluster level SSL configuration. OCSP checking must be enabled if you are using the CertificateAuthenticationLoginModule and have set Enable revocation checking to true.

Enable OCSP for a cluster when configuring SSL.

  1. In the left navigation pane, select Configuration.
  2. In the right administration pane, select the General tab.
  3. From the menu bar, select SSL Configuration.
  4. To enable OCSP when doing certificate revocation checking, check Enable OCSP.
  5. Configure the responder properties (location and certificate information):
    Responder Property Details
    URL A URL to responder, including its port.

    For example, https://ocsp.example.net:80.
    Certificate subject name The subject name of the responder's certificate. By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated.

    Its value is a string distinguished name (defined in RFC 2253), which identifies a certificate in the set of certificates supplied during cert path validation.

    If the subject name alone is not sufficient to uniquely identify the certificate, the subject value and serial number properties must be used instead.

    When the certificate subject name is set, the certificate issuer name and certificate serial number are ignored.

    For example, CN=MyEnterprise, O=XYZCorp.
    Certificate issuer name The issuer name of the responder certificate.

    For example, CN=OCSP Responder, O=XYZCorp.
    Certificate serial number The serial number of the responder certificate.
Parent topic: Configuring SSL Properties
Previous topic: Creating an SSL Security Profile in SAP Control Center