Online Certificate Status Protocol (OCSP) is a protocol that can be used to determine the revocation status or validity of certificates. This protocol allows a service to provide revocation information rather than having Novell iChain determine it. Having a service provide the revocation information can also provide more up-to-date information about the revocation status of certificates.
As with Certificate Revocation Lists (CRLs), an extension in the certificate specifies the Uniform Resource Identifier (URI) to be used. For OCSP, the extension is the Authority Information Access (AIA) extension, which specifies the location of the OCSP service.
In addition, the OCSP standard allows for a local configuration option that is supported by iChain. This option allows the administrator to configure the location of the OCSP service. When the local configuration option is used, it overrides any information specified in the certificate. Also, when the local configuration option is used, it applies to all certificates, whether or not they contain the AIA extension.
During the certificate validation processes, iChain uses OCSP (if it is configured or specified) followed by CRLs (if specified) to determine the revocation status of the certificates. During this process, if OCSP is able to determine the revocation status of a certificate, then CRLs are not used. Thus, OCSP enables iChain to bypass the CRL downloads, which can save processing time when the CRLs have expired and need to be downloaded.
NOTE:Because iChain caches CRLs, any time saving would only apply where valid CRLs were not previously cached. In general, OCSP does not provide better processing time than CRLs. Rather, cached CRLs provide better performance than OCSP.
In the OCSP process, there is an OCSP client (iChain) and an OCSP responder (a third-party OCSP server). The client (iChain) makes a request to the OCSP responder and then waits for a response. The OCSP server should respond with the status of the certificate in question as valid, revoked, or unknown. It can also respond that the request is invalid for one of multiple reasons. If the server responds that the request is invalid, no indication is given as to the status of the certificate in question.
In iChain, you configure OCSP at the command line. The following are samples of the commands that relate directly and indirectly to OCSP and certificate validity, along with an explanation of each. This configuration is done through the SSL profile. In each of these examples, ssl refers to the name of your SSL mutual authentication profile.
authentication ssl mutual useocspconfiguredsource = No
Specifies whether to enable the local configuration option. The default is No. Change it to Yes if you want to configure iChain to always use a specific OCSP responder (for example, a locally determined OCSP server) for revocation checking.
NOTE:In order to use the local configuration option, you must also use the command authentication ssl mutual url to specify which OCSP server to use.
authentication ssl mutual url = (currently no values assigned)
Specifies the locally configured OCSP responder location. This value overrides any information stored in the certificate.
NOTE:In order to use the local configuration option, you must also use the command authentication ssl mutual useocspconfiguredsource = Yes to turn on the local configuration option.
Set this value to the URL of the OCSP server. The http protocol must be specified as part of the URL (http:// for non-secure or non-SSL, or https:// for secure or SSL). For example, http://ocsp.openvalidation.org.
authentication ssl mutual signedrequestcert = (currently no values assigned)
Specifies the server certificate to use to sign the OCSP request. You specify the certificate name exactly as it as viewed in the Certificate Maintenance page in the proxy server interface after you have created the certificate. See Section 15.0, Using iChain to Manage Certificates for more information. Request signing is an optional OCSP feature, and should only be used if required by the OCSP responder. Normally this command is not used. If it is used, the server certificate needs to be one that is accepted by the OCSP responder. (Contact the administrator of the OCSP service for details and requirement specifications.)
NOTE:To create this server certificate, follow the normal iChain procedure for creating a server certificate. See Section 15.0, Using iChain to Manage Certificates for more information.
The following settings are not directly specific to OCSP, but can influence it indirectly.
authentication ssl mutual verifyrootca = Yes
Specifies whether to provide revocation checking on the root Certificate Authority (CA). The default is Yes. If you change this setting to No, iChain does not check the revocation status of the root certificate (even if the certificate specifies a method for doing so).
WARNING:Changing this setting to No can reduce the security of your system.
authentication ssl mutual disablerevocationchecks = No
Specifies whether to disable revocation checking on all certificates. The default and recommended setting is No.
WARNING:Do not disable revocation checking in a production environment. Changing this setting to Yes can reduce the security of your system.
authentication ssl mutual mapx500crltoldap = (currently no values assigned)
Specifies the IP or DNS address of the LDAP server to use when mapping X.500 CRL distribution points using the LDAP protocol. In other words, the X.500 name is mapped to an LDAP name and then the LDAP protocol is used to download the CRL. iChain only connects over the default 389 port (you cannot change the port). You cannot specify the username and/or password.
NOTE:This option is available because X.500 does not support the concept of a multiple tree environment, but LDAP does.
set authentication mutual_auth_profile_name mutual revocationcheckmethod = OCSP.
Certificate revocation is checked in the URL of the certificate. The certificate revocation method is set using the following setting:
revocationcheckmethod=method
The method is the type of certificate revocation checking performed during mutual authentication. The following Certificate Revocation checks are available depending on the value of the revocationcheckmethod parameter:
OCSP only. This method checks only the online certificate status protocol (OCSP). The CRL is checked in the URL and overrides the client certificate. The certificate does not pass if it is revoked or there is a miscommunication.
CRL only. This checks only the Certificate Revocation list.
OCSP- CRL. This method checks the OCSP first, then checks the CRL. The CRL protocols include HTTP, LDAP, and X.500 directory name (provides only the directory name).
The Certificate Revocation List (CRL) is checked when the following conditions exist:
The client certificate contains a CRL distribution point (CDP).
The client certificate contains a CRL CDP but not an Authority Information Access (AIA) extension for OSCP.
The OCSP configured sources is disabled.
NOTE:If you have your certificate revocation method set to OCSP-CRL, the certificate is allowed to authenticate the user if an unknown response occurs and the client certificate does not contain a CRL distribution point. If you do not want the certificate to authenticate the user under these circumstances, you need to set your revocation method to OCSP only.
In iChain 2.3 SP1 Support Pack 1, a new OCSP setting is introduced:
set authentication <ssl auth profile name> mutual ocspconfiguredcerts = <trusted_root_container>
set authentication ssl auth profile name mutual ocspconfiguredcerts = trusted root container
This setting is needed only when the OCSP server’s signing certificate’s CA is not the same CA as the certificate that iChain tries to validate through the OCSP protocol. Note that if the OCSP server’s signing certificate’s CA is the same CA as the certificate that iChain tries to validate through the OCSP protocol, this setting is not needed.
For this setting, the trusted_root_container is a fully qualified name of a trusted root container object in the LDAP authorization server tree. It must contain the trusted root of the OCSP server's signing certificate.
You create this object and the trusted root object the same way you create the trusted root container configured in the ISO object. It could be the same one that is in the ISO object, or it could be another trusted root container.
This new setting can only be set from the command line. The fully qualified name of the trusted root container needs to be semicolon (;)-delimited, and does not include the tree name.
For example, if you enter the following command:
get authentication ssl auth profile name
you see the following on your server for this setting:
authentication ssl mutual ocspconfiguredcerts = cn=OCSPTRContainer;cn=Security