Monitor certificate status with OCSP
Online Certificate Status Protocol (OCSP) is an Internet protocol that is used to determine the status of a client SSL certificate. Citrix ADC appliances support OCSP as defined in RFC 2560. OCSP offers significant advantages over certificate revocation lists (CRLs) in terms of timely information. Up-to-date revocation status of a client certificate is especially useful in transactions involving large sums of money and high-value stock trades. It also uses fewer system and network resources. Citrix ADC implementation of OCSP includes request batching and response caching.
OCSP validation on a Citrix ADC appliance begins when the appliance receives a client certificate during an SSL handshake. To validate the certificate, the appliance creates an OCSP request and forwards it to the OCSP responder. To do so, the appliance uses a locally configured URL. The transaction is in a suspended state until the appliance evaluates the response from the server and determines whether to allow the transaction or reject it. If the response from the server is delayed beyond the configured time and no other responders are configured, the appliance allows the transaction or display an error, depending on whether the OCSP check was set to optional or mandatory, respectively.
The appliance supports batching of OCSP requests and caching of OCSP responses to reduce the load on the OCSP responder and provide faster responses.
OCSP request batching
Each time the appliance receives a client certificate, it sends a request to the OCSP responder. To help avoid overloading the OCSP responder, the appliance can query the status of more than one client certificate in the same request. For this feature to work efficiently, a timeout needs to be defined so that processing of a single certificate is not inordinately delayed while waiting to form a batch.
OCSP response caching
Caching of responses received from the OCSP responder enables faster responses to the clients and reduces the load on the OCSP responder. Upon receiving the revocation status of a client certificate from the OCSP responder, the appliance caches the response locally for a predefined length of time. When a client certificate is received during an SSL handshake, the appliance first checks its local cache for an entry for this certificate. If an entry is found that is still valid (within the cache timeout limit), it is evaluated and the client certificate is accepted or rejected. If a certificate is not found, the appliance sends a request to the OCSP responder and stores the response in its local cache for a configured length of time.
Note: From release 12.1 build 49.x, the cache timeout limit is now increased to a maximum of 43200 minutes (30 days). Earlier the limit was 1440 minutes (one day). The increased limit helps reduce the lookups on the OCSP server and avoid any SSL/TLS connection failures in case the OCSP server is not reachable due to network or other problems.
OCSP responder configuration
Configuring OCSP involves adding an OCSP responder, binding the OCSP responder to a certification authority (CA) certificate, and binding the certificate to an SSL virtual server. If you need to bind a different certificate to an OCSP responder that has already been configured, you need to first unbind the responder and then bind the responder to a different certificate.
Add an OCSP responder by using the CLI
At the command prompt, type the following commands to configure OCSP and verify the configuration:
add ssl ocspResponder <name> -url <URL> [-cache ( ENABLED | DISABLED )[-cacheTimeout <positive_integer>]] [ -batchingDepth <positive_integer>][-batchingDelay <positive_integer>] [-resptimeout <positive_integer>] [-responderCert <string> | -trustResponder] [-producedAtTimeSkew <positive_integer>][-signingCert <string>][-useNonce ( YES | NO )][ -insertClientCert( YES | NO )] <!--NeedCopy-->
bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>] <!--NeedCopy-->
bind ssl vserver <vServerName>@ (-certkeyName <string> ( CA [-ocspCheck ( Mandatory | Optional )])) <!--NeedCopy-->
show ssl ocspResponder [<name>] <!--NeedCopy-->
add ssl ocspResponder ocsp_responder1 -url "http:// www.myCA.org:80/ocsp/" -cache ENABLED -cacheTimeout 30 -batchingDepth 8 -batchingDelay 100 -resptimeout 100 -responderCert responder_cert -producedAtTimeSkew 300 -signingCert sign_cert -insertClientCert YES <!--NeedCopy-->
bind ssl certKey ca_cert -ocspResponder ocsp_responder1 -priority 1 <!--NeedCopy-->
bind ssl vserver vs1 -certkeyName ca_cert -CA -ocspCheck Mandatory <!--NeedCopy-->
sh ocspResponder ocsp_responder1 1)Name: ocsp_responder1 URL: http://www.myCA.org:80/ocsp/, IP: 126.96.36.199 Caching: Enabled Timeout: 30 minutes Batching: 8 Timeout: 100 mS HTTP Request Timeout: 100mS Request Signing Certificate: sign_cert Response Verification: Full, Certificate: responder_cert ProducedAt Time Skew: 300 s Nonce Extension: Enabled Client Cert Insertion: Enabled Done <!--NeedCopy-->
show certkey ca_cert Name: ca_cert Status: Valid, Days to expiration:8907 Version: 3 … 1) VServer name: vs1 CA Certificate 1) OCSP Responder name: ocsp_responder1 Priority: 1 Done <!--NeedCopy-->
sh ssl vs vs1 Advanced SSL configuration for VServer vs1: DH: DISABLED … 1) CertKey Name: ca_cert CA Certificate OCSPCheck: Mandatory 1) Cipher Name: DEFAULT Description: Predefined Cipher Alias Done <!--NeedCopy-->
Modify an OCSP responder by using the CLI
You cannot modify the responder name. All other parameters can be changed using the
set ssl ocspResponder command.
At the command prompt, type the following commands to set the parameters and verify the configuration:
set ssl ocspResponder <name> [-url <URL>] [-cache ( ENABLED | DISABLED)] [-cacheTimeout <positive_integer>] [-batchingDepth <positive_integer>] [-batchingDelay <positive_integer>] [-resptimeout <positive_integer>] [ -responderCert <string> | -trustResponder][-producedAtTimeSkew <positive_integer>][-signingCert <string>] [-useNonce ( YES | NO )] unbind ssl certKey [<certkeyName>] [-ocspResponder <string>] bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>] show ssl ocspResponder [<name>] <!--NeedCopy-->
Configure an OCSP responder by using the GUI
- Navigate to Traffic Management > SSL > OCSP Responder, and configure an OCSP responder.
- Navigate to Traffic Management > SSL > Certificates, select a certificate, and in the Action list, select OCSP Bindings. Bind an OCSP responder.
- Navigate to Traffic Management > Load Balancing > Virtual Servers, open a virtual server, and click in the Certificates section to bind a CA certificate.
- Optionally, select select OCSP Mandatory.