This provides real-time revocation and certificate whitelisting. Certificate whitelisting provides additional assurance to end entities and confirms that the CA actually issued the certificate. In comparison to CRL checking, OCSP requests contain far less data so are easier for networks to handle as systems do not have to download the latest list of every revoked signature whenever a certificate is checked.
Contact Us to discuss your requirements and learn more about how our solutions can be used to provide OCSP certificate validation services. All rights reserved. Learn how three enterprises leveraged Venafi to manage their machine identities in the top three public clouds.
Learn about machine identities and why they are more important than ever to secure across your organization. Bringing to life new integrated solutions for DevOps, cloud-native, microservices, IoT and beyond.
Revocation checking is broken and has been for some time. Whilst some vendors have sort of worked around this with proprietary solutions, there is little that the smaller sites can do. These were lists of all certificates that a CA had revoked and could be downloaded by a client to check if the certificate they were served had been revoked.
These lists didn't scale and eventually downloading these large files became a problem, thus the Online Certificate Status Protocol, or OCSP, was born. Instead of the client downloading a list of all revoked certificates, they would submit a request to the CA to check the status of the specific certificate they had received. Sadly OCSP was riddled with problems like poor CA infrastructure being unavailable and the privacy concern of clients leaking the site they were visiting to the CA.
Instead of the client making the OCSP request to the CA, the host website would make the request and 'staple' the response to the certificate when they served it. The final problem was that the client had no idea that the site in question supports OCSP and whether or not it should expect them to staple an OCSP response. This flag instructs the browser that the certificate must be served with a valid OCSP response or the browser should hard fail on the connection.
How you obtain your certificates will depend on how you set the OCSP must-staple flag but if you followed my previous guide on Getting started with Let's Encrypt then it's really easy. Don't worry too much about the details here, but if you do want to know then 1. If you're using OpenSSL 1. With that aside, you're ready to regenerate your CSR. A quick scan will tell you exactly what you need, just look in the Authentication section of the report.
You can also do this from the command line before you try to use the certificates by checking both the CSR and the signed certificate you obtain. To check your certificate use the following command. In the output you're looking for the xv3 extensions section and specifically 1.
It's the same approach for the CSR with a change on the command to use req instead of x and the appropriate CSR file. In the output from the CSR you're looking for the exact same thing as above in the certificate. The big problem that we had with revocation checking was that we couldn't rely on it. Now we do.
In the event of a compromise or any other scenario where you find yourself needing to revoke your certificate you can be confident that when the client receives your certificate in a connection it will be forced to check for a stapled OCSP response. This offers a huge level of protection and reduces the potential time an attacker can abuse a compromised certificate from the maximum life of the certificate, which could be up to 39 months, down to the maximum life of the last valid OCSP response, which could be a few hours.
It's not perfect but OCSP must-staple presents the first opportunity for us to rely on revocation actually working. Check back in a few days. Check your version of OpenSSL before using this:. Scott Helme is an international speaker, security researcher and blogger that specializes in online security. He also founded report-uri. Venafi Cloud manages and protects certificates. Already have an account? Login Here. Requests are sent first to OCSP server locations that are manually configured in CA profiles with the ocsp url statement at the [ edit security pki ca-profile profile-name revocation-check ] hierarchy level; up to two locations can be configured for each CA profile.
If the second OCSP server is not reachable, the request is then sent to the location in the certificate's AuthorityInfoAccess extension field.
The use-ocsp option must also be configured, as certificate revocation list CRL is the default checking method. The response received is validated using trusted certificates. The response is validated as follows:. The following scenarios are supported:. After the OCSP response is validated, the certificate revocation status is checked.
Since the CA signed the status, the web browser can trust it. Image source: www. This is especially important for high-traffic websites. Consequently, this means slower response times and user speeds on the website. OCSP stapling is also better for user privacy.
0コメント