- Configuring SSL Offloading
- Enhanced SSL Profiles Infrastructure Overview
- Managing Certificates
- Managing Certificate Revocation Lists
- Monitoring Certificate Status with OCSP
- Providing the Revocation Status of a Server Certificate to a Client
- Configuring Client Authentication
- Customizing the SSL Configuration
- Configuring SSL Actions and Policies
- Use Case 1: Configuring SSL Offloading with End-to-End Encryption
- Use Case 2: Configuring Transparent SSL Acceleration
- Use Case 3: Configuring SSL Acceleration with HTTP on the Front End and SSL on the Back End
- Use Case 4: SSL Offloading with Other TCP Protocols
- Use Case 5: Configuring SSL Bridging
- Use Case 6: Configuring SSL Monitoring when Client Authentication is Enabled on the Backend Service
- Use Case 7: Configuring a Secure Content Switching Server
- Ciphers Supported by the NetScaler Appliance
- FIPS Approved Ciphers
- Cipher/Protocol Support Matrix on the NetScaler Appliance
- Server Certificate Support Matrix on the NetScaler Appliance
- Support for MPX 5900 and MPX/SDX 8900 Platforms
- Configuring the MPX 9700/10500/12500/15500 FIPS Appliances
- Configuring the MPX 14000 FIPS Appliance
- Configuring an SDX 14000 FIPS Appliance
- Support for a Hybrid FIPS Mode on the MPX/SDX 14000 FIPS Platform
- Support for Thales nShield® HSM
- Support for SafeNet Network Hardware Security Module
- Troubleshooting
- SSL FAQs
Providing the Revocation Status of a Server Certificate to a Client
Jan 09, 2017
The NetScaler implementation of CRL and OCSP reports the revocation status of client certificates only. To check the revocation status of a server certificate received during an SSL handshake, a client must send a request to a certificate authority.
For web sites with heavy traffic, many clients receive the same server certificate. If each client sent a query for the revocation status of the server certificate, the certificate authority would be inundated with OCSP requests to check the validity of the certificate.
OCSP Stapling Solution
To avoid unnecessary congestion, the NetScaler appliance now supports OCSP stapling. That is, the appliance can now send the revocation status of a server certificate to a client, at the time of the SSL handshake, after validating the certificate status from an OCSP responder. The revocation status of a server certificate is "stapled" to the response the appliance sends to the client as part of the SSL handshake. To use the OCSP stapling feature, you must enable it on an SSL virtual server and add an OCSP responder on the appliance.
Note
NetScaler appliances support OCSP stapling as defined in RFC 6066.
OCSP stapling is supported only on the front-end of NetScaler appliances.
Important
NetScaler support for OCSP stapling is limited to handshakes using TLS protocol version 1.0 or higher. This feature is not supported in a cluster setup.
OCSP Response Caching of Server Certificates
During the SSL handshake, when a client requests the revocation status of the server certificate, the NetScaler appliance first checks its local cache for an entry for this certificate. If an entry is found and is still valid, it is evaluated, and the server certificate and its status are presented to the client. If a revocation status entry is not found, the appliance sends the certificate to the client without the status, sends a request for the revocation status of the server certificate to the OCSP responder, and stores the response in its local cache until the nextUpdate time of the OCSP response. If the nextUpdate field is not present, the response is cached for the configured length of time.
The revocation status of a server certificate might not be available when a client initially requests a server certificate, for two reasons. Either the appliance sent a request but is still waiting for a response from the OCSP responder, or the server certificate status information on the appliance has expired and the appliance has to send a fresh request to the OCSP responder.
Configuring OCSP Stapling
Configuring OCSP stapling involves enabling the feature and configuring OCSP. To configure OCSP, you must add an OCSP responder, bind the OCSP responder to a CA certificate, and bind the certificate to an SSL virtual server.
Enabling OCSP Stapling
As soon as you enable OCSP stapling, the NetScaler appliance sends a request to the OCSP responder, for the revocation status of the server certificate that is bound to the SSL virtual server. Upon receiving the response, the appliance caches it until the nextUpdate time of the OCSP response. If the nextUpdate field is not present, the response is cached for a user-specified period. This status is sent to the client during the SSL handshake.
To enable OCSP stapling by using the NetScaler command line
At the command prompt, type:
set ssl vserver <name> -ocspstapling [ENABLED | DISABLED]
Example
Copy
> set ssl vserver vip1 -ocspStapling ENABLED
Done
> sh ssl vserver vip1
Advanced SSL configuration for VServer vip1:
DH: DISABLED
DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0
Session Reuse: ENABLED Timeout: 120 seconds
Cipher Redirect: DISABLED
SSLv2 Redirect: DISABLED
ClearText Port: 0
Client Auth: DISABLED
SSL Redirect: DISABLED
Non FIPS Ciphers: DISABLED
SNI: ENABLED
OCSP Stapling: ENABLED
SSLv2: DISABLED SSLv3: DISABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED
Push Encryption Trigger: Always
Send Close-Notify: YES
ECC Curve: P_256, P_384, P_224, P_521
1) CertKey Name: server_certificate1 Server Certificate
1) Cipher Name: DEFAULT
Description: Default cipher list with encryption strength >= 128bit
Done
To enable OCSP stapling by using the NetScaler GUI
- Navigate to Traffic Management > SSL > Virtual Server.
- Open a virtual server and, in SSL Parameters, select OCSP Stapling.
Configuring OCSP
An OCSP responder can be dynamically added (in the case of an internal responder) on the basis of the OCSP URL in the server certificate, or an OCSP responder can be manually added from the NetScaler CLI or GUI.
Note
A manually added OCSP responder takes precedence over a dynamically added responder.
To dynamically create an internal OCSP responder, the appliance needs the following:
- Certificate of the issuer of the server certificate (usually the CA certificate).
- Certificate-key pair of the server certificate. This certificate must contain the OCSP URL provided by the CA. The URL is used as the name of the dynamically added internal responder.
An internal OCSP responder cannot be removed (deleted) or unbound from the virtual server. To remove an internal OCSP responder, you must remove the issuer or the server certificate.
Note
Batching depth and batching delay parameters do not apply to server certificates.
To configure OCSP by using the command line interface
At the command prompt, type the following commands to configure OCSP and verify the configuration:
- add ssl certKey <certkeyName> (-cert <string> [-password]) [-key <string> | -fipsKey <string> | -hsmKey <string>] [-inform <inform>] [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod <positive_integer>]] [-bundle ( YES | NO )]
- add ssl ocspResponder <name> -url <URL> [-cache ( ENABLED | DISABLED )[-cacheTimeout <positive_integer>]] [-resptimeout <positive_integer>] [-responderCert <string> | -trustResponder] [-producedAtTimeSkew <positive_integer>][-signingCert <string>][-useNonce ( YES | NO )][ -insertClientCert ( YES | NO )]
- bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>]
- show ssl ocspResponder [<name>]
Example
Copy
add ssl certkey root_ca1 –cert root_cacert.pem
add ssl ocspResponder ocsp_responder1 -url "http:// www.myCA.org:80/ocsp/" -cache ENABLED -cacheTimeout 30 -resptimeout 100 -responderCert responder_cert -producedAtTimeSkew 300 -signingCert sign_cert -insertClientCert YES
bind ssl certKey root_ca1 -ocspResponder ocsp_responder1 -priority 1
sh ocspResponder ocsp_responder1
1)Name: ocsp_responder1
URL: http://www.myCA.org:80/ocsp/, IP: 192.128.22.22
Caching: Enabled Timeout: 30 minutes
Batching: 8 Timeout: 100 mS
HTTP Request Timeout: 100mS
Request Signing Certificate: sign_cert
Response Verification: Full, Certificate: responder_cert
ProducedAt Time Skew: 300 s
Nonce Extension: Enabled
Client Cert Insertion: Enabled
Done
show certkey root_ca1
Name: root_ca1 Status: Valid, Days to expiration:8907
Version: 3
…
1) OCSP Responder name: ocsp_responder1 Priority: 1
Done
To modify OCSP by using the command line interface
You cannot modify the name of an OCSP responder, but you can use the set ssl ocspResponder command to change any of the other parameters.
At the command prompt, type the following commands to set the parameters and verify the configuration:
- set ssl ocspResponder <name> [-url <URL>] [-cache ( ENABLED | DISABLED)] [-cacheTimeout <positive_integer>] [-resptimeout <positive_integer>] [ -responderCert <string> | -trustResponder][-producedAtTimeSkew <positive_integer>][-signingCert <string>] [-useNonce ( YES | NO )]
- unbind ssl certKey [<certkeyName>] [-ocspResponder <string>]
- bind ssl certKey [<certkeyName>] [-ocspResponder <string>] [-priority <positive_integer>]
- show ssl ocspResponder [<name>]
To configure OCSP by using the configuration utility
- Navigate to Traffic Management > SSL > OCSP Responder, and configure an OCSP responder.
- Navigate to Traffic Management > SSL > Certificates, select a certificate, and in the Action list, select OCSP Bindings. Bind an OCSP responder.
- Navigate to Traffic Management > Load Balancing > Virtual Servers, open a virtual server, and click in the Certificates section to bind a CA certificate.
- Optionally, select select OCSP Mandatory.