This post is about OCSP, NetScaler and SSL/TLS, how we could benefit from it and how we implement it on NetScaler.
Table of Contents
Intro
Online Certificate Status Protocol (OCSP) is an alternative/replacement to the Certificate Revocation List (CRL) and is also a method to validate the status of a certificate.
The CRL method requires the client to download potentially large amounts of SSL Certificate revocation information, like certificate serial numbers and status of each certificate’s last publication date. One of the issues with the CRL method is that it can increase the time spent completing the SSL negotiation.
The OCSP protocol does not require the client to spend time downloading and then searching a list for certificate information. With OCSP, the client simply posts a query and receives a response from an OCSP responder about the revocation status of a certificate.
When configuring OCSP In NetScaler, OCSP reports the status of the Client Certificate only.
To check the revocation status on a Server Certificate during SSL Handshake, the client must send a request to the certificate authority OCSP Responder, or use OCSP Stapling that was introduced and supported from NetScaler 11.1 build 51.21.
OCSP Stapling enables revocation status check of the supplied Server Certificate. So that instead of having the Clients contacting the CA for Revocation Check, NetScaler sends a OCSP Request towards the e.g. CA (OCSP Responder) which then gets cached on NetScaler until NextUpdate occurs. Any subsequent OCSP Requests the NetScaler checks the Cache first before contacting the CA OCSP Responder.
Benefits and objectives
- Increase Security
- If certificate is revoked the connection is reset, not showing content
- Optimize Performance
- Delivering faster SSL/TLS Negotiation
- Offload CA OCSP Responder, deliver from cache
OCSP Traffic flow
Illustrating the traffic flow below.
OSCP Stapling:
OCSP with Client Authentication:
OCSP Configuration steps
Via The GUI:
OCSP is configured by enabling OCSP Binding on the Intermediate CA Certificate:
Add the Responder, if the Responder URL is published in the certificate then you will see the responder already, otherwise you will have to add the OCSP Responder:
Add OCSP responder from CLI:
1 |
add ssl ocspResponder ocsp_responder1 -url "http:// www.myCA.org:80/ocsp/" -cache ENABLED -cacheTimeout 30 -resptimeout 100 -responderCert responder_cert -producedAtTimeSkew 300 -signingCert sign_cert -insertClientCert YES |
OSCP Stapling is a check box in SSL vServer:
Last part is to bind the Intermediate cert to CA Cert on the SSL vServer:
And choose OCSP Mandatory under CRL and OCSP Check dropdown.
Notes and requirements
- NetScaler can communicate with OSCP Responder on HTTP via Subnet IP
- TLS Certificate embeds OCSP extension
- NetScaler appliances support OCSP as defined in RFC 2560
- OCSP stapling requires TLS 1.0 and Higher.
- NetScaler appliances support OCSP stapling as defined in RFC 6066.
- OCSP stapling is supported only on the front-end of NetScaler appliances.
- Support for OCSP Stapling from NetScaler 11.1 build 51.21 and later.
Troubleshooting
From Shell on NetScaler, run the following to verify OCSP statistics:
1 |
nsconmsg -d stats I grep ocsp |
From NS CLI:
Verify configuration.
1 |
show ocspResponder |
Other references
Citrix Docs:
Monitoring Certificate Status with OCSP
Citrix Docs:
Providing the Revocation Status of a Server Certificate to a Client