Does VIA support validation of the Revocation Status of a Peer Certificate using OCSP ?
Yes, from VIA 2.3 it performs revocation check of server certificate exchanged during IKE negotiation and EAP-TLS exchange using the Online Certificate Status Protocol (OCSP) method. VIA extract OCSP responder information from certificate being checked. If OCSP responder information is unavailable in certificate, revocation check is skipped . We can enable OCSP revocation check through VIA connection profile .
aaa authentication via connection-profile "default" ocsp-responder ike-url "OCSP URL embedded in the certificate example: http://ocsp.usertrust.com " ocsp-responder eap-url "OCSP URL embedded in the certificate example: http://ocsp.usertrust.com " We can also define if VIA connection should be allowed in case OCSP status cannot be determined for some reason
aaa authentication via connection-profile "default" ocsp-responder fallback accept
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.