Monitoring Certificate Status with OCSP

January 23, 2019

| Contributed by:

Online Certificate Status Protocol (OCSP) is an Internet protocol that is used to determine the status of a client SSL certificate. Citrix Gateway supports OCSP as defined in RFC 2560. OCSP offers significant advantages over certificate revocation lists (CRLs) in terms of timely information. Up-to-date revocation status of a client certificate is especially useful in transactions involving large sums of money and high-value stock trades. It also uses fewer system and network resources. Citrix Gateway implementation of OCSP includes request batching and response caching.

Citrix Gateway Implementation of OCSP

OCSP validation on an Citrix Gateway appliance begins when Citrix Gateway receives a client certificate during an SSL handshake. To validate the certificate, Citrix Gateway creates an OCSP request and forwards it to the OCSP responder. To do so, Citrix Gateway either extracts the URL for the OCSP responder from the client certificate or uses a locally configured URL. The transaction is in a suspended state until Citrix Gateway evaluates the response from the server and determines whether to allow the transaction or to reject it. If the response from the server is delayed beyond the configured time and no other responders are configured, Citrix Gateway allows the transaction or displays an error, depending on whether you set the OCSP check to optional or mandatory. Citrix Gateway supports batching of OCSP requests and caching of OCSP responses to reduce the load on the OCSP responder and provide faster responses.

OCSP Request Batching

Each time Citrix Gateway receives a client certificate, it sends a request to the OCSP responder. To help avoid overloading the OCSP responder, Citrix Gateway can query the status of more than one client certificate in the same request. For request batching to work efficiently, you need to define a time-out so that processing of a single certificate is not delayed while waiting to form a batch.

OCSP Response Caching

Caching of responses received from the OCSP responder enables faster responses to the user and reduces the load on the OCSP responder. Upon receiving the revocation status of a client certificate from the OCSP responder, Citrix Gateway caches the response locally for a predefined length of time. When a client certificate is received during an SSL handshake, Citrix Gateway first checks its local cache for an entry for this certificate. If an entry is found that is still valid (within the cache time-out limit), the entry is evaluated and the client certificate is accepted or rejected. If a certificate is not found, Citrix Gateway sends a request to the OCSP responder and stores the response in its local cache for a configured length of time.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Support: https://www.citrix.com/support

Feedback and forums: https://discussions.citrix.com

Version

Monitoring Certificate Status with OCSP

Monitoring Certificate Status with OCSP

Citrix Gateway Implementation of OCSP

OCSP Request Batching

OCSP Response Caching

Monitoring Certificate Status with OCSP

In this article