Support User Manuals

Black Box ET1000A Appliance Trim Kit User Manual

Open as PDF

of 352

Validating Certificates

EncrypTight User Guide 291

NOTE

For enhanced security, if you want to validate certificates using OCSP only, disable the options to Ignore

Failure to Respond and Revert to CRL on OCSP Responder Failure.

To set up OCSP in the ETKMS:

1 Log in directly on the ETKMS as root, or open an SSH session and su to root.

2 Using a text editor, open the

kdist.properties file and add or edit the following lines:

#crlPath=../keys/current.crl

ocspEnabled=true

ocspDefaultResponderURL=http://<IPaddress:Port#>

ocspCRLFallbackEnable=true

#ignoreRevocationCheckErrors=false

To set up OCSP on the ETEPs:

1 In the Appliance manager, right click on the appliance that you want to change and select

Configuration.

2 Click the Advanced tab.

3Click Enable OCSP.

4In the OCSP URL box, enter the URL of the OCSP responder.

5 Make other selections as needed. See Table 81 for an explanation of the OCSP settings.

6Click OK.

Table 80 ETKMS OCSP Parameters

Parameter Description

crlPath The directory path to a CRL stored locally. Storing CRLs locally is

not supported when you use OCSP. When you use OSCP, this

parameter should be commented out by preceding the line with a #.

ocspEnabled Enables and disables the use of OCSP.

ocspDefaultResponderURL IP address and port number for a default OCSP responder, for

example:

http://192.168.42.4:8888

ocspCRLFallbackEnable Enables and disables checking CRLs if no OCSP default responder

is specified and no OCSP URL is found in the certificate, or when a

responder cannot be reached.

ignoreRevocationCheckErrors Specifies whether to ignore revocation check failures for CRLs.

When you use OCSP, this parameter should be commented out by

preceding the line with a #. Ignoring revocation check failures is not

a valid option when OCSP is in use.

Table 81 OCSP Settings

Option Description

Enable OCSP When checked, enables the use of OCSP. The default is

unchecked.

Verify OCSP Response Verifies OCSP responses by authenticating the response with the

installed certificate. The default is to verify the OCSP response.

previous next