Beginning with ONTAP 9.4, Online Certificate Status Protocol (OCSP) enables ONTAP applications that use Transport Layer Security (TLS) communications to receive digital certificate status when OCSP is enabled. You can enable or disable OCSP certificate status checks for specific applications at any time. By default, OCSP certificate status checking is disabled.
Before you begin
These commands must be performed at the advanced privilege level.
About this task
OCSP supports the following applications:
- Set the privilege level to advanced: set -privilege advanced.
- To enable or disable OCSP certificate status checks for specific ONTAP applications, use the appropriate command.
| If you want OCSP certificate status checks for some applications to be... | Use the command... |
|---|
| Enabled | security config ocsp enable -app app name |
| Disabled | security config ocsp disable -app app name |
Example
The following command enables OCSP support for AutoSupport and EMS.
cluster::*> security config ocsp enable -app asup,ems
Result
When OCSP is enabled, the application receives one of the following responses:
Good - the certificate is valid and communication proceeds.
Revoked - the certificate is permanently deemed as not trustworthy by its issuing Certificate Authority and communication fails to proceed.
Unknown - the server does not have any status information about the certificate and communication fails to proceed.
OCSP server information is missing in the certificate - the server acts as if OCSP is disabled and continues with TLS communication, but no status check occurs.
No response from OCSP server - the application fails to proceed.
- To enable or disable OCSP certificate status checks for all applications using TLS communications, use the appropriate command.
| If you want OCSP certificate status checks for all applications to be... | Use the command... |
|---|
| Enabled | security config ocsp enable -app all |
| Disabled | security config ocsp disable -app all |
Result
When enabled, all applications receive a signed response signifying that the specified certificate is good, revoked, or unknown. In the case of a revoked certificate, the application will fail to proceed. If the application fails to receive a response from the OCSP server or if the server is unreachable, the application will fail to proceed.
- Use the security config ocsp show command to display all the applications that support OCSP and their support status.
Example
cluster::*> security config ocsp show
Application OCSP Enabled?
-------------------- ---------------------
autosupport false
audit_log false
fabricpool false
ems false
kmip false
ldap_ad true
ldap_nis_namemap true
7 entries were displayed.