Product Documentation

Providing the Revocation Status of a Server Certificate to a Client

Jan 09, 2017

The NetScaler implementation of CRL and OCSP reports the revocation status of client certificates only. To check the revocation status of a server certificate received during an SSL handshake, a client must send a request to a certificate authority.

For web sites with heavy traffic, many clients receive the same server certificate. If each client sent a query for the revocation status of the server certificate, the certificate authority would be inundated with OCSP requests to check the validity of the certificate.

OCSP Stapling Solution

To avoid unnecessary congestion, the NetScaler appliance now supports OCSP stapling. That is, the appliance can now send the revocation status of a server certificate to a client, at the time of the SSL handshake, after validating the certificate status from an OCSP responder. The revocation status of a server certificate is “stapled” to the response the appliance sends to the client as part of the SSL handshake. To use the OCSP stapling feature, you must enable it on an SSL virtual server and add an OCSP responder on the appliance.

Note

NetScaler appliances support OCSP stapling as defined in RFC 6066. 

OCSP stapling is supported only on the front-end of NetScaler appliances.

Important

NetScaler support for OCSP stapling is limited to handshakes using TLS protocol version 1.0 or higher. This feature is not supported in a cluster setup.

OCSP Response Caching of Server Certificates

During the SSL handshake, when a client requests the revocation status of the server certificate, the NetScaler appliance first checks its local cache for an entry for this certificate. If an entry is found and is still valid, it is evaluated, and the server certificate and its status are presented to the client. If a revocation status entry is not found, the appliance sends the certificate to the client without the status, sends a request for the revocation status of the server certificate to the OCSP responder, and stores the response in its local cache until the nextUpdate time of the OCSP response. If the nextUpdate field is not present, the response is cached for the configured length of time.

The revocation status of a server certificate might not be available when a client initially requests a server certificate, for two reasons. Either the appliance sent a request but is still waiting for a response from the OCSP responder, or the server certificate status information on the appliance has expired and the appliance has to send a fresh request to the OCSP responder.

Configuring OCSP Stapling

Configuring OCSP stapling involves enabling the feature and configuring OCSP. To configure OCSP, you must add an OCSP responder, bind the OCSP responder to a CA certificate, and bind the certificate to an SSL virtual server.

Enabling OCSP Stapling

As soon as you enable OCSP stapling, the NetScaler appliance sends a request to the OCSP responder, for the revocation status of the server certificate that is bound to the SSL virtual server. Upon receiving the response, the appliance caches it until the nextUpdate time of the OCSP response. If the nextUpdate field is not present, the response is cached for a user-specified period. This status is sent to the client during the SSL handshake.

To enable OCSP stapling by using the NetScaler command line

At the command prompt, type:

set ssl vserver <name> -ocspstapling [ENABLED DISABLED]
> set ssl vserver vip1 -ocspStapling ENABLED
Done
> sh ssl vserver vip1
 
 Advanced SSL configuration for VServer vip1:
 DH: DISABLED
 DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0
 Session Reuse: ENABLED Timeout: 120 seconds
 Cipher Redirect: DISABLED
 SSLv2 Redirect: DISABLED
 ClearText Port: 0
 Client Auth: DISABLED
 SSL Redirect: DISABLED
 Non FIPS Ciphers: DISABLED
 SNI: ENABLED
 OCSP Stapling: ENABLED
 SSLv2: DISABLED SSLv3: DISABLED TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED
 Push Encryption Trigger: Always
 Send Close-Notify: YES
 
 ECC Curve: P_256, P_384, P_224, P_521
 
1) CertKey Name: server_certificate1 Server Certificate
 
 
 
1) Cipher Name: DEFAULT
 Description: Default cipher list with encryption strength >= 128bit
Done

To enable OCSP stapling by using the NetScaler GUI

  1. Navigate to Traffic Management > SSL > Virtual Server.
  2. Open a virtual server and, in SSL Parameters, select OCSP Stapling.

Configuring OCSP

An OCSP responder can be dynamically added (in the case of an internal responder) on the basis of the OCSP URL in the server certificate, or an OCSP responder can be manually added from the NetScaler CLI or GUI.

Note

A manually added OCSP responder takes precedence over a dynamically added responder.

To dynamically create an internal OCSP responder, the appliance needs the following:

  • Certificate of the issuer of the server certificate (usually the CA certificate).
  • Certificate-key pair of the server certificate. This certificate must contain the OCSP URL provided by the CA. The URL is used as the name of the dynamically added internal responder.

An internal OCSP responder cannot be removed (deleted) or unbound from the virtual server. To remove an internal OCSP responder, you must remove the issuer or the server certificate.

Note

Batching depth and batching delay parameters do not apply to server certificates.

To configure OCSP by using the command line interface

At the command prompt, type the following commands to configure OCSP and verify the configuration:

  • add ssl certKey <certkeyName> (-cert <string> [-password]) [-key <string> -fipsKey <string> -hsmKey <string>] [-inform <inform>] [-expiryMonitor ( ENABLED DISABLED ) [-notificationPeriod <positive_integer>]] [-bundle ( YES NO )] 
  • add ssl ocspResponder <name> -url <URL> [-cache ( ENABLED DISABLED )[-cacheTimeout <positive_integer>]] [-resptimeout <positive_integer>] [-responderCert <string> -trustResponder] [-producedAtTimeSkew <positive_integer>][-signingCert <string>][-useNonce ( YES NO )][ -insertClientCert ( YES NO )]
  • bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>]
  • show ssl ocspResponder [<name>]
add ssl certkey root_ca1 –cert root_cacert.pem
add ssl ocspResponder ocsp_responder1 -url "http:// www.myCA.org:80/ocsp/" -cache ENABLED -cacheTimeout 30  -resptimeout 100 -responderCert responder_cert -producedAtTimeSkew 300 -signingCert sign_cert  -insertClientCert YES 
bind ssl certKey root_ca1 -ocspResponder ocsp_responder1 -priority 1 
sh ocspResponder ocsp_responder1 
1)Name: ocsp_responder1 
URL: http://www.myCA.org:80/ocsp/, IP: 192.128.22.22 
Caching: Enabled        Timeout: 30 minutes 
Batching: 8 Timeout: 100 mS 
HTTP Request Timeout: 100mS 
Request Signing Certificate: sign_cert 
Response Verification: Full, Certificate: responder_cert 
ProducedAt Time Skew: 300 s 
Nonce Extension: Enabled 
 Client Cert Insertion: Enabled 
Done 
 
show certkey root_ca1 
Name: root_ca1     Status: Valid,   Days to expiration:8907 
Version: 3 
… 
1)  OCSP Responder name: ocsp_responder1     Priority: 1 
Done

To modify OCSP by using the command line interface

You cannot modify the name of an OCSP responder, but you can use the set ssl ocspResponder command to change any of the other parameters.

At the command prompt, type the following commands to set the parameters and verify the configuration:

  • set ssl ocspResponder <name> [-url <URL>] [-cache ( ENABLED DISABLED)] [-cacheTimeout <positive_integer>]  [-resptimeout <positive_integer>] [ -responderCert <string> -trustResponder][-producedAtTimeSkew <positive_integer>][-signingCert <string>] [-useNonce ( YES NO )]
  • unbind ssl certKey [<certkeyName>] [-ocspResponder <string>]
  • bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>]
  • show ssl ocspResponder [<name>]

To configure OCSP by using the configuration utility

  1. Navigate to Traffic Management > SSL > OCSP Responder, and configure an OCSP responder.
  2. Navigate to Traffic Management > SSL > Certificates, select a certificate, and in the Action list, select OCSP Bindings. Bind an OCSP responder.
  3. Navigate to Traffic Management > Load Balancing > Virtual Servers, open a virtual server, and click in the Certificates section to bind a CA certificate.
  4. Optionally, select select OCSP Mandatory.