Verifying digital certificates are valid using OCSP

Beginning with ONTAP 9.2, Online Certificate Status Protocol (OCSP) enables ONTAP applications that use Transport Layer Security (TLS) communications to receive digital certificate status when OCSP is enabled. You can enable or disable OCSP certificate status checks for specific applications at any time. By default, OCSP certificate status checking is disabled.

Before you begin

These commands must be performed at the advanced privilege level.

About this task

OCSP supports the following applications:

Steps

  1. Set the privilege level to advanced: set -privilege advanced.
  2. To enable or disable OCSP certificate status checks for specific ONTAP applications, use the appropriate command.
    If you want OCSP certificate status checks for some applications to be... Use the command...
    Enabled security config ocsp enable -app app name
    Disabled security config ocsp disable -app app name
    Example
    The following command enables OCSP support for AutoSupport and EMS.
    cluster::*> security config ocsp enable -app asup,ems 

    When OCSP is enabled, the application receives one of the following responses:

    • Good - the certificate is valid and communication proceeds.
    • Revoked - the certificate is permanently deemed as not trustworthy by its issuing Certificate Authority and communication fails to proceed.
    • Unknown - the server does not have any status information about the certificate and communication fails to proceed.
    • OCSP server information is missing in the certificate - the server acts as if OCSP is disabled and continues with TLS communication, but no status check occurs.
    • No response from OCSP server - the application fails to proceed.
  3. To enable or disable OCSP certificate status checks for all applications using TLS communications, use the appropriate command.
    If you want OCSP certificate status checks for all applications to be... Use the command...
    Enabled security config ocsp enable -app all
    Disabled security config ocsp disable -app all
    When enabled, all applications receive a signed response signifying that the specified certificate is good, revoked, or unknown. In the case of a revoked certificate, the application will fail to proceed. If the application fails to receive a response from the OCSP server or if the server is unreachable, the application will fail to proceed.
  4. Use the security config ocsp show command to display all the applications that support OCSP and their support status.
    Example
    cluster::*> security config ocsp show
             Application                        OCSP Enabled?
             --------------------               ---------------------
             autosupport                        false
             audit_log                          false
             fabricpool                         false
             ems                                false
             kmip                               false
             ldap_ad                            true
             ldap_nis_namemap                   true
    
             7 entries were displayed.