Parameter:
OCSP_NoVerifyShort description: Controls whether OCSP verification of certificates is skipped – security-sensitive, only for air-gapped environments or diagnostics.
Profile
Parameter | OCSP_NoVerify |
Category | Security / TLS |
Component | Server |
Available since | 12.0 |
Supported versions | 9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | 0 = verify OCSP (default), 1 = skip OCSP check |
Description
During the TLS handshake, Domino uses OCSP to check whether a presented certificate has been revoked in the meantime. If the OCSP responder does not work, TLS connections can fail.
OCSP_NoVerify=1 disables this check globally – comparable to NOCRLCheck, but specifically for OCSP. Use only in air-gap setups or for temporary diagnostics, because revoked certificates are then no longer rejected.Example configuration
OCSP_NoVerify=1
Notes & pitfalls
- Significantly weakens TLS security – document and limit in time.
- For internet-exposed servers, definitely leave
0.
- Pairs with
NOCRLCheck,OCSP_CHECK_CLIENT_CERT,LogPrintCertChainErrors.
- Takes effect after a restart of the consuming tasks (HTTP, SMTP, LDAP).
- For purely temporary tests, prefer a maintenance server instead of toggling in production.