- Configuring SSL Offloading
- Enhanced SSL Profiles Infrastructure Overview
- Managing Certificates
- Managing Certificate Revocation Lists
- Monitoring Certificate Status with OCSP
- Providing the Revocation Status of a Server Certificate to a Client
- Configuring Client Authentication
- Customizing the SSL Configuration
- Configuring SSL Actions and Policies
- Use Case 1: Configuring SSL Offloading with End-to-End Encryption
- Use Case 2: Configuring Transparent SSL Acceleration
- Use Case 3: Configuring SSL Acceleration with HTTP on the Front End and SSL on the Back End
- Use Case 4: SSL Offloading with Other TCP Protocols
- Use Case 5: Configuring SSL Bridging
- Use Case 6: Configuring SSL Monitoring when Client Authentication is Enabled on the Backend Service
- Use Case 7: Configuring a Secure Content Switching Server
- Ciphers Supported by the NetScaler Appliance
- FIPS Approved Ciphers
- Cipher/Protocol Support Matrix on the NetScaler Appliance
- Server Certificate Support Matrix on the NetScaler Appliance
- Support for MPX 5900 and MPX/SDX 8900 Platforms
- Configuring the MPX 9700/10500/12500/15500 FIPS Appliances
- Configuring the MPX 14000 FIPS Appliance
- Configuring an SDX 14000 FIPS Appliance
- Support for a Hybrid FIPS Mode on the MPX/SDX 14000 FIPS Platform
- Support for Thales nShield® HSM
- Support for SafeNet Network Hardware Security Module
- Troubleshooting
- SSL FAQs
Monitoring Certificate Status with OCSP
Jul 07, 2016
Online Certificate Status Protocol (OCSP) is an Internet protocol that is used to determine the status of a client SSL certificate. NetScaler appliances support OCSP as defined in RFC 2560. OCSP offers significant advantages over certificate revocation lists (CRLs) in terms of timely information. Up-to-date revocation status of a client certificate is especially useful in transactions involving large sums of money and high-value stock trades. It also uses fewer system and network resources. NetScaler implementation of OCSP includes request batching and response caching.
To monitor certificate status with OCSP, see the following sections:
NetScaler Implementation of OCSP
OCSP validation on a NetScaler appliance begins when the appliance receives a client certificate during an SSL handshake. To validate the certificate, the NetScaler creates an OCSP request and forwards it to the OCSP responder. To do so, the NetScaler uses a locally configured URL. The transaction is in a suspended state until the NetScaler evaluates the response from the server and determines whether to allow the transaction or reject it. If the response from the server is delayed beyond the configured time and no other responders are configured, the NetScaler will allow the transaction or display an error, depending on whether the OCSP check was set to optional or mandatory, respectively.
The NetScaler supports batching of OCSP requests and caching of OCSP responses to reduce the load on the OCSP responder and provide faster responses.
OCSP Request Batching
Each time the NetScaler receives a client certificate, it sends a request to the OCSP responder. To help avoid overloading the OCSP responder, the NetScaler can query the status of more than one client certificate in the same request. For this to work efficiently, a timeout needs to be defined so that processing of a single certificate is not inordinately delayed while waiting to form a batch.
OCSP Response Caching
Caching of responses received from the OCSP responder enables faster responses to the clients and reduces the load on the OCSP responder. Upon receiving the revocation status of a client certificate from the OCSP responder, the NetScaler caches the response locally for a predefined length of time. When a client certificate is received during an SSL handshake, the NetScaler first checks its local cache for an entry for this certificate. If an entry is found that is still valid (within the cache timeout limit), it is evaluated and the client certificate is accepted or rejected. If a certificate is not found, the NetScaler sends a request to the OCSP responder and stores the response in its local cache for a configured length of time.
Configuring an OCSP Responder
Configuring OCSP involves adding an OCSP responder, binding the OCSP responder to a certification authority (CA) certificate, and binding the certificate to an SSL virtual server. If you need to bind a different certificate to an OCSP responder that has already been configured, you need to first unbind the responder and then bind the responder to a different certificate.
To add an OCSP responder by using the command line interface
At the command prompt, type the following commands to configure OCSP and verify the configuration:
- add ssl ocspResponder <name> -url <URL> [-cache ( ENABLED | DISABLED )[-cacheTimeout <positive_integer>]] [ -batchingDepth <positive_integer>][-batchingDelay <positive_integer>] [-resptimeout <positive_integer>] [-responderCert <string> | -trustResponder] [-producedAtTimeSkew <positive_integer>][-signingCert <string>][-useNonce ( YES | NO )][ -insertClientCert( YES | NO )]
- bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>]
- bind ssl vserver <vServerName>@ (-certkeyName <string> ( CA [-ocspCheck ( Mandatory | Optional )]))
- show ssl ocspResponder [<name>]
Example
add ssl ocspResponder ocsp_responder1 -url "http:// www.myCA.org:80/ocsp/" -cache ENABLED -cacheTimeout 30 -batchingDepth 8 -batchingDelay 100 -resptimeout 100 -responderCert responder_cert -producedAtTimeSkew 300 -signingCert sign_cert -insertClientCert YES bind ssl certKey ca_cert -ocspResponder ocsp_responder1 -priority 1 bind ssl vserver vs1 -certkeyName ca_cert -CA -ocspCheck Mandatory sh ocspResponder ocsp_responder1 1)Name: ocsp_responder1 URL: http://www.myCA.org:80/ocsp/, IP: 192.128.22.22 Caching: Enabled Timeout: 30 minutes Batching: 8 Timeout: 100 mS HTTP Request Timeout: 100mS Request Signing Certificate: sign_cert Response Verification: Full, Certificate: responder_cert ProducedAt Time Skew: 300 s Nonce Extension: Enabled Client Cert Insertion: Enabled Done show certkey ca_cert Name: ca_cert Status: Valid, Days to expiration:8907 Version: 3 … 1) VServer name: vs1 CA Certificate 1) OCSP Responder name: ocsp_responder1 Priority: 1 Done sh ssl vs vs1 Advanced SSL configuration for VServer vs1: DH: DISABLED … 1) CertKey Name: ca_cert CA Certificate OCSPCheck: Mandatory 1) Cipher Name: DEFAULT Description: Predefined Cipher Alias Done
To modify an OCSP responder by using the command line interface
You cannot modify the responder name. All other parameters can be changed using the set ssl ocspResponder command.
At the command prompt, type the following commands to set the parameters and verify the configuration:
- set ssl ocspResponder <name> [-url <URL>] [-cache ( ENABLED | DISABLED)] [-cacheTimeout <positive_integer>] [-batchingDepth <positive_integer>] [-batchingDelay <positive_integer>] [-resptimeout <positive_integer>] [ -responderCert <string> | -trustResponder][-producedAtTimeSkew <positive_integer>][-signingCert <string>] [-useNonce ( YES | NO )]
- unbind ssl certKey [<certkeyName>] [-ocspResponder <string>]
- bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>]
- show ssl ocspResponder [<name>]
To configure an OCSP responder by using the configuration utility
- Navigate to , and configure an OCSP responder.
- Navigate to , select a certificate, and in the Action list, select OCSP Bindings. Bind an OCSP responder.
- Navigate to , open a virtual server, and click in the Certificates section to bind a CA certificate.
- Optionally, select select OCSP Mandatory.
Support:
https://www.citrix.com/support
Feedback and forums:
https://discussions.citrix.com