Product Documentation

Providing the Revocation Status of a Server Certificate to a Client

Jan 09, 2017

The NetScaler implementation of CRL and OCSP reports the revocation status of client certificates only. To check the revocation status of a server certificate received during an SSL handshake, a client must send a request to a certificate authority.

For web sites with heavy traffic, many clients receive the same server certificate. If each client sent a query for the revocation status of the server certificate, the certificate authority would be inundated with OCSP requests to check the validity of the certificate.

OCSP Stapling Solution

To avoid unnecessary congestion, the NetScaler appliance now supports OCSP stapling. That is, the appliance can now send the revocation status of a server certificate to a client, at the time of the SSL handshake, after validating the certificate status from an OCSP responder. The revocation status of a server certificate is "stapled" to the response the appliance sends to the client as part of the SSL handshake. To use the OCSP stapling feature, you must enable it on an SSL virtual server and add an OCSP responder on the appliance.

Note

NetScaler appliances support OCSP stapling as defined in RFC 6066. 

OCSP stapling is supported only on the front-end of NetScaler appliances.

Important

NetScaler support for OCSP stapling is limited to handshakes using TLS protocol version 1.0 or higher. This feature is not supported in a cluster setup.

OCSP Response Caching of Server Certificates

During the SSL handshake, when a client requests the revocation status of the server certificate, the NetScaler appliance first checks its local cache for an entry for this certificate. If an entry is found and is still valid, it is evaluated, and the server certificate and its status are presented to the client. If a revocation status entry is not found, the appliance sends the certificate to the client without the status, sends a request for the revocation status of the server certificate to the OCSP responder, and stores the response in its local cache until the nextUpdate time of the OCSP response. If the nextUpdate field is not present, the response is cached for the configured length of time.

The revocation status of a server certificate might not be available when a client initially requests a server certificate, for two reasons. Either the appliance sent a request but is still waiting for a response from the OCSP responder, or the server certificate status information on the appliance has expired and the appliance has to send a fresh request to the OCSP responder.

Configuring OCSP Stapling

Configuring OCSP stapling involves enabling the feature and configuring OCSP. To configure OCSP, you must add an OCSP responder, bind the OCSP responder to a CA certificate, and bind the certificate to an SSL virtual server.

Enabling OCSP Stapling

As soon as you enable OCSP stapling, the NetScaler appliance sends a request to the OCSP responder, for the revocation status of the server certificate that is bound to the SSL virtual server. Upon receiving the response, the appliance caches it until the nextUpdate time of the OCSP response. If the nextUpdate field is not present, the response is cached for a user-specified period. This status is sent to the client during the SSL handshake.

To enable OCSP stapling by using the NetScaler command line

At the command prompt, type:

set ssl vserver <name> -ocspstapling [ENABLED | DISABLED]

Example Copy

> set ssl vserver vip1 -ocspStapling ENABLED

Done

> sh ssl vserver vip1

 

Advanced SSL configuration for VServer vip1:

DH: DISABLED

DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0

Session Reuse: ENABLED Timeout: 120 seconds

Cipher Redirect: DISABLED

SSLv2 Redirect: DISABLED

ClearText Port: 0

Client Auth: DISABLED

SSL Redirect: DISABLED

Non FIPS Ciphers: DISABLED

SNI: ENABLED

OCSP Stapling: ENABLED

SSLv2: DISABLED SSLv3: DISABLED TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED

Push Encryption Trigger: Always

Send Close-Notify: YES

 

ECC Curve: P_256, P_384, P_224, P_521

 

1) CertKey Name: server_certificate1 Server Certificate

 

 

 

1) Cipher Name: DEFAULT

Description: Default cipher list with encryption strength >= 128bit

Done

To enable OCSP stapling by using the NetScaler GUI

  1. Navigate to Traffic Management > SSL > Virtual Server.
  2. Open a virtual server and, in SSL Parameters, select OCSP Stapling.

Configuring OCSP

An OCSP responder can be dynamically added (in the case of an internal responder) on the basis of the OCSP URL in the server certificate, or an OCSP responder can be manually added from the NetScaler CLI or GUI.

Note

A manually added OCSP responder takes precedence over a dynamically added responder.

To dynamically create an internal OCSP responder, the appliance needs the following:

  • Certificate of the issuer of the server certificate (usually the CA certificate).
  • Certificate-key pair of the server certificate. This certificate must contain the OCSP URL provided by the CA. The URL is used as the name of the dynamically added internal responder.

An internal OCSP responder cannot be removed (deleted) or unbound from the virtual server. To remove an internal OCSP responder, you must remove the issuer or the server certificate.

Note

Batching depth and batching delay parameters do not apply to server certificates.

To configure OCSP by using the command line interface

At the command prompt, type the following commands to configure OCSP and verify the configuration:

  • add ssl certKey <certkeyName> (-cert <string> [-password]) [-key <string> | -fipsKey <string> | -hsmKey <string>] [-inform <inform>] [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod <positive_integer>]] [-bundle ( YES | NO )] 
  • add ssl ocspResponder <name> -url <URL> [-cache ( ENABLED | DISABLED )[-cacheTimeout <positive_integer>]] [-resptimeout <positive_integer>] [-responderCert <string> | -trustResponder] [-producedAtTimeSkew <positive_integer>][-signingCert <string>][-useNonce ( YES | NO )][ -insertClientCert ( YES | NO )]
  • bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>]
  • show ssl ocspResponder [<name>]
Example Copy

add ssl certkey root_ca1 –cert root_cacert.pem

add ssl ocspResponder ocsp_responder1 -url "http:// www.myCA.org:80/ocsp/" -cache ENABLED -cacheTimeout 30  -resptimeout 100 -responderCert responder_cert -producedAtTimeSkew 300 -signingCert sign_cert  -insertClientCert YES 

bind ssl certKey root_ca1 -ocspResponder ocsp_responder1 -priority 1 

sh ocspResponder ocsp_responder1 

1)Name: ocsp_responder1 

URL: http://www.myCA.org:80/ocsp/, IP: 192.128.22.22 

Caching: Enabled        Timeout: 30 minutes 

Batching: 8 Timeout: 100 mS 

HTTP Request Timeout: 100mS 

Request Signing Certificate: sign_cert 

Response Verification: Full, Certificate: responder_cert 

ProducedAt Time Skew: 300 s 

Nonce Extension: Enabled 

 Client Cert Insertion: Enabled 

Done 

 

show certkey root_ca1 

Name: root_ca1     Status: Valid,   Days to expiration:8907 

Version: 3 

… 

1)  OCSP Responder name: ocsp_responder1     Priority: 1 

Done

To modify OCSP by using the command line interface

You cannot modify the name of an OCSP responder, but you can use the set ssl ocspResponder command to change any of the other parameters.

At the command prompt, type the following commands to set the parameters and verify the configuration:

  • set ssl ocspResponder <name> [-url <URL>] [-cache ( ENABLED | DISABLED)] [-cacheTimeout <positive_integer>]  [-resptimeout <positive_integer>] [ -responderCert <string> | -trustResponder][-producedAtTimeSkew <positive_integer>][-signingCert <string>] [-useNonce ( YES | NO )]
  • unbind ssl certKey [<certkeyName>] [-ocspResponder <string>]
  • bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>]
  • show ssl ocspResponder [<name>]

To configure OCSP by using the configuration utility

  1. Navigate to Traffic Management > SSL > OCSP Responder, and configure an OCSP responder.
  2. Navigate to Traffic Management > SSL > Certificates, select a certificate, and in the Action list, select OCSP Bindings. Bind an OCSP responder.
  3. Navigate to Traffic Management > Load Balancing > Virtual Servers, open a virtual server, and click in the Certificates section to bind a CA certificate.
  4. Optionally, select select OCSP Mandatory.