Online Certificate Status Protocol (OCSP) is an Internet protocol used by applications to obtain the revocation status of an X.509 digital certificate.
The OCSP policy configuration file is stored as z:\system\data\ocsppolicy.ini. The default implementation looks like this:
GenerateResponseForMissingUri = true EnableHttpGETMethod = false
Device creators must modify the configuration file and rebuild the securityconfig component, to customise the behavior of the OCSP component.
Flag Name |
Default Value |
Description |
GenerateResponseForMissingUri |
true |
Decides whether an OCSP client should send a request and expect a response even if both Authority Information Access (AIA) in the certificate and the global OCSP URL are not present. AIA extension and the global OCSP URI are the two sources to get the trust status of the certificate, and it is required that one of these two sources must be present to get correct trust status of the certificate. The GenerateResponseForMissingUri flag allows to override the default settings in the following ways:
|
EnableHttpGETMethod |
false |
Decides how the OCSP request should be sent when a request size is small. HTTP based OCSP requests can use GET or the POST method to submit their requests.
You need to set EnableHttpGETMethod flag as false, to forcibly submit using POST method, even if the request is less than 255 bytes. |
For more details about these two flags, see RFC2560 - X.509 PKI OCSP standard.