You are here: Home > CLI Commands > Just_CLI_Topics > crypto-local pki rcp

crypto-local pki rcp

crypto-local pki rcp <name> [allow-low-assurance-devices|crl-location <filename>|enable-ocsp-responder|ocsp-responder-cert <ocsp-responder-cert>|ocsp-signer-cert <ocsp-signer-cert>|ocsp-url <ocsp-url>|revocation-check <method1> [<method2>]|server-unreachable {revoke-cert|fail-over|allow-cert}]

Description

This command specifies the certificates used to sign OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. for the revocation checkpoint. A revocation checkpoint is automatically created when a TrustedCA or IntermediateCA certificate is imported into Mobility Master.

Syntax

Parameter

Description

allow-low-assurance-devices

Enables or disables low assurance devices.

crl-location <file>

Location of the CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. that is used for the rcp. The specified CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. filename must be previously imported onto Mobility Master before using this option.

enable-ocsp-responder

Enables the OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. Responder for this revocation checkpoint. The default is disabled.

ocsp-responder-cert

<ocsp-responder-cert>

Specifies the certificate that is used to verify OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responses. The certificate must be one of the certificate names displayed when the show crypto-local pki OCSPResponderCert command is executed.

ocsp-signer-cert

<ocsp-signer-cert>

Specifies the certificate that is used to sign OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responses for this revocation checkpoint. The OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer certificate must be previously imported onto Mobility Master through the WebUI. The OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer cert can be the same TrustedCA as the checkpoint, a designated OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer certificate issued by the same CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. as the checkpoint, or another local trusted authority.

If the ocsp-signer-cert is not specified, OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responses are signed using the global OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer certificate. If that is not present, an error message is sent out to clients.

NOTE: The OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer certificate (if configured) takes precedence over the global OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer certificate as this is check point specific.

ocsp-url <ocsp-url>

Configures the OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. Server URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet.. The URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. must be in the form of http://my.responder.com/path. This parameter can contain only one responder URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. at time.

revocation-check

<method1> [<method2>]

Configures the revocation check methods used for this rcp. Options include:

None (default): No revocation checks are performed

CRL: CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. revocation check method

OCSP: OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. revocation check method

You can configure one fallback method.

server-unreachable

{revoke-cert|fail-over|allow-cert}

Configures one of the following methods to use upon failure to connect to the OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL.  server:

allow-cert: The certificate is considered 'Good' upon failure to establish connection with the OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL.  responder server.

fail-over: The certificate revocation is matched against the CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. upon failure to establish connection with the OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL.  responder server.

revoke-cert: The certificate is considered 'Revoked' upon failure to establish connection with the OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL.  responder server.

Usage Guidelines

This command allows you to configure the check methods that are used for the given revocation checkpoint. You can configure Mobility Master to perform real-time certificate revocation checks using the Online Certificate Status Protocol (OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. ) or traditional certificate validation using the Certificate Revocation List (CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority.) client. Refer toCertificate Revocation for more information on how to configure this feature using both the WebUI and CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

Example

This example configures an OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. client with the OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL.  revocation check method and CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. backup method:

(host) [mynode] (config) #crypto-local pki rcp CARoot

ocsp-responder-cert RootCA-Ocsp_responder

ocsp-url http://10.4.46.202/ocsp

crl-location file Security1-WIN-05PRGNGEKAO-CA-unrevoked.crl

revocation-check ocsp crl

Related Commands

Command

Description

crypto-local pki

Configures local certificates, OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer or responder certificates, and Certificate Revocation Lists (CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority.). You can also list revocation checkpoints and enable the responder service.

show crypto-local pki

Displays local certificates, OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer or responder certificates, and CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. data and statistics.

Command History

Version

Modification

ArubaOS 8.2.0.0

The allow-low-assurance-devices parameter was added.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

Licensing

Command Mode

All platforms

Base operating system.

Config mode on Mobility Master.

/*]]>*/