Product Documentation

Monitoring Certificate Status with OCSP

Jul 07, 2016

Online Certificate Status Protocol (OCSP) is an Internet protocol that is used to determine the status of a client SSL certificate. NetScaler appliances support OCSP as defined in RFC 2560. OCSP offers significant advantages over certificate revocation lists (CRLs) in terms of timely information. Up-to-date revocation status of a client certificate is especially useful in transactions involving large sums of money and high-value stock trades. It also uses fewer system and network resources. NetScaler implementation of OCSP includes request batching and response caching.

To monitor certificate status with OCSP, see the following sections:

NetScaler Implementation of OCSP

OCSP validation on a NetScaler appliance begins when the appliance receives a client certificate during an SSL handshake. To validate the certificate, the NetScaler creates an OCSP request and forwards it to the OCSP responder. To do so, the NetScaler uses a locally configured URL. The transaction is in a suspended state until the NetScaler evaluates the response from the server and determines whether to allow the transaction or reject it. If the response from the server is delayed beyond the configured time and no other responders are configured, the NetScaler will allow the transaction or display an error, depending on whether the OCSP check was set to optional or mandatory, respectively.

The NetScaler supports batching of OCSP requests and caching of OCSP responses to reduce the load on the OCSP responder and provide faster responses.

OCSP Request Batching

Each time the NetScaler receives a client certificate, it sends a request to the OCSP responder. To help avoid overloading the OCSP responder, the NetScaler can query the status of more than one client certificate in the same request. For this to work efficiently, a timeout needs to be defined so that processing of a single certificate is not inordinately delayed while waiting to form a batch.

OCSP Response Caching

Caching of responses received from the OCSP responder enables faster responses to the clients and reduces the load on the OCSP responder. Upon receiving the revocation status of a client certificate from the OCSP responder, the NetScaler caches the response locally for a predefined length of time. When a client certificate is received during an SSL handshake, the NetScaler first checks its local cache for an entry for this certificate. If an entry is found that is still valid (within the cache timeout limit), it is evaluated and the client certificate is accepted or rejected. If a certificate is not found, the NetScaler sends a request to the OCSP responder and stores the response in its local cache for a configured length of time.

Configuring an OCSP Responder

Configuring OCSP involves adding an OCSP responder, binding the OCSP responder to a certification authority (CA) certificate, and binding the certificate to an SSL virtual server. If you need to bind a different certificate to an OCSP responder that has already been configured, you need to first unbind the responder and then bind the responder to a different certificate.

To add an OCSP responder by using the command line interface

At the command prompt, type the following commands to configure OCSP and verify the configuration:

  • add ssl ocspResponder <name> -url <URL> [-cache ( ENABLED | DISABLED )[-cacheTimeout <positive_integer>]] [ -batchingDepth <positive_integer>][-batchingDelay <positive_integer>] [-resptimeout <positive_integer>] [-responderCert <string> | -trustResponder] [-producedAtTimeSkew <positive_integer>][-signingCert <string>][-useNonce ( YES | NO )][ -insertClientCert( YES | NO )]
  • bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>]
  • bind ssl vserver <vServerName>@ (-certkeyName <string> ( CA [-ocspCheck ( Mandatory | Optional )]))
  • show ssl ocspResponder [<name>]

Example

 
add ssl ocspResponder ocsp_responder1 -url "http:// www.myCA.org:80/ocsp/" -cache ENABLED -cacheTimeout 30 -batchingDepth 8 -batchingDelay 100 -resptimeout 100 -responderCert responder_cert -producedAtTimeSkew 300 -signingCert sign_cert  -insertClientCert YES 
bind ssl certKey ca_cert -ocspResponder ocsp_responder1 -priority 1 
bind ssl vserver vs1 -certkeyName ca_cert -CA -ocspCheck Mandatory 
 
sh ocspResponder ocsp_responder1 
1)Name: ocsp_responder1 
URL: http://www.myCA.org:80/ocsp/, IP: 192.128.22.22 
Caching: Enabled        Timeout: 30 minutes 
Batching: 8 Timeout: 100 mS 
HTTP Request Timeout: 100mS 
Request Signing Certificate: sign_cert 
Response Verification: Full, Certificate: responder_cert 
ProducedAt Time Skew: 300 s 
Nonce Extension: Enabled 
 Client Cert Insertion: Enabled 
Done 
 
show certkey ca_cert 
Name: ca_cert     Status: Valid,   Days to expiration:8907 
Version: 3 
… 
1)  VServer name: vs1      CA Certificate 
1)  OCSP Responder name: ocsp_responder1     Priority: 1 
Done 
 
sh ssl vs vs1 
Advanced SSL configuration for VServer vs1: 
DH: DISABLED 
… 
1) CertKey Name: ca_cert CA Certificate OCSPCheck: Mandatory 
1) Cipher Name: DEFAULT 
  Description: Predefined Cipher Alias 
Done 

To modify an OCSP responder by using the command line interface

You cannot modify the responder name. All other parameters can be changed using the set ssl ocspResponder command.

At the command prompt, type the following commands to set the parameters and verify the configuration:

  • set ssl ocspResponder <name> [-url <URL>] [-cache ( ENABLED | DISABLED)] [-cacheTimeout <positive_integer>] [-batchingDepth <positive_integer>] [-batchingDelay <positive_integer>] [-resptimeout <positive_integer>] [ -responderCert <string> | -trustResponder][-producedAtTimeSkew <positive_integer>][-signingCert <string>] [-useNonce ( YES | NO )]
  • unbind ssl certKey [<certkeyName>] [-ocspResponder <string>]
  • bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>]
  • show ssl ocspResponder [<name>]

To configure an OCSP responder by using the configuration utility

  1. Navigate to Traffic Management > SSL > OCSP Responder, and configure an OCSP responder.
  2. Navigate to Traffic Management > SSL > Certificates, select a certificate, and in the Action list, select OCSP Bindings. Bind an OCSP responder.
  3. Navigate to Traffic Management > Load Balancing > Virtual Servers, open a virtual server, and click in the Certificates section to bind a CA certificate.
  4. Optionally, select select OCSP Mandatory.