Before you begin
Make sure that your system has the certificates that are required for OCSP checks. You can use Root or
Intermediate CA certificates that are configured with the OCSP response attribute or you can use a designated
OCSP signing certificate that has been uploaded to the tomcat-trust.
Procedure
Step 1 Log in to Cisco Unified OS Administration (for Unified Communications Manager certificate revocation) or
Cisco Unified IM and Presence Administration (for IM and Presence Service certificate revocation).
Step 2 Choose Security > Certificate Revocation.
Step 3 Check the Enable OCSP check box, and perform one of the following tasks:
• If you want to specify an OCSP responder for OCSP checks, select the Use configured OCSP URI
button and enter the URI of the responder in the OCSP Configured URI field.
• If the certificate is configured with an OCSP responder URI, select the Use OCSP URI fromCertificate
button.
Step 4 Check the Enable Revocation Check check box.
Step 5 Complete the Check Every field with the interval period for revocation checks.
Step 6 Click Save.
Step 7 Optional. If you have CTI, IPsec or LDAP links, you must also complete these steps in addition to the above
steps to enable OCSP revocation support for those long-lived connections:
a) From Cisco Unified CM Administration, choose System > Enterprise Parameters.
b) Under Certificate Revocation and Expiry, set the Certificate Validity Check parameter to True.
c) Configure a value for the Validity Check Frequency parameter.
The interval value of the Enable Revocation Check parameter in the Certificate Revocation
window takes precedence over the value of the Validity Check Fr equencyenterprise parameter.
Note
d) Click Save.
Support for Delegated Trust Model in OCSP Response
Online Certificate Status Protocol (OCSP) allows a device to obtain real-time information about the status of
a given certificate. Examples of certificate status are Good, Revoked, and Unknown.
Unified Communications Manager uses OCSP to validate third-party certificates that are uploaded into the
Unified Communications Manager trust store. Unified Communications Manager requires an OCSP Responder
URL to connect to the OCSP responder server over HTTP. It sends an HTTP request to the responder to
validate a certificate.
Unified Communications Manager currently supports the Trusted Responder Model of OCSP, where the
OCSP response is signed by a self-signed certificate of the OCSP server. This self-signed certificate is uploaded
to the trust store before initiating an OCSP request. This certificate is used to verify the signature on the OCSP
response.
Unified Communications Manager 11.0 and later support the Delegated Trust Model (DTM) of the OCSP
responder, where the OCSP responses are no longer approved by the self-signed certificate but are issued by
Certificate Revocation/Expiry Status Verification
4
Certificate Revocation/Expiry Status Verification
Support for Delegated Trust Model in OCSP Response