List of published manuals

List of manuals for contractors

IIJ ID Service Manual [For Administrators]

Revocation Settings by OCSP

This page describes how to check certificate revocation using OCSP (Online Certificate Status Protocol).
When OCSP is enabled, an inquiry is made to the OCSP server to see if the certificate is revoked or not every time device certificate authentication is performed.

[ Reference ]

When only OCSP is enabled, authentication by device certificate can no longer be performed if a proper connection cannot be made to the OCSP server.
To avoid the situation where authentication cannot be performed due to a problem with the OCSP server, enable "Revocation Settings by CRL" together.

  1. Click "System" and then "Security Settings."
  2. Click "Device Restriction."
  3. Click "Certificate Revocation Settings" for the desired CA certificate chain.
  4. Click "Enable OCSP."

  5. Change the content and then click "Update."

    OptionDescription
    OCSP server URLEnter the URL of the OCSP server.
    NonceInclude random values in the OCSP request to prevent replay attacks.
    Disable this option if the OCSP server does not support Nonce.
    Latest verification statusDisplays the latest verification results.
    • Time of verification:Date and time of verification
    • HTTP status:Status code of HTTP response from the OCSP server
    • OCSP status:OCSP verification result
      • good:Certificate can be used
      • revoked:Certificate cannot be used
      • Other:Certificate cannot be used (Switched to verification by CRL if CRL is enabled)
    Verify OCSP server connectionChecks communication to the OCSP server.
    A verification request is sent to the OCSP server and the result is displayed in the verification status.