Applies To:
Show Versions
BIG-IP versions 1.x - 4.x
- 4.5 PTF-08, 4.5 PTF-07, 4.5 PTF-06, 4.5 PTF-05, 4.5 PTF-04, 4.5.9
2
Online Certificate Status Protocol for the BIG-IP System
Introducing OCSP
Online Certificate Status Protocol (OCSP) is an industry-standard protocol that offers an alternative to a certificate revocation list (CRL) when using public-key technology. A CRL is a list of revoked client certificates, which a server system can check during the process of verifying a client certificate.
With this release, the BIG-IP system supports both CRLs and the OCSP protocol, for use with its SSL proxy feature.
For more information on CRLs, see the BIG-IP Reference Guide .
The limitations of CRLs
When presented with a client certificate, the BIG-IP system sometimes needs to assess the revocation state of that certificate before accepting the certificate and forwarding the connection to a target server. The standard method of assessing revocation status is a CRL, which is stored in a separate CRL file on each machine in your configuration. Although CRLs are considered to be a standard way of checking revocation status of SSL certificates, a CRL is updated only at fixed intervals, thus presenting a risk that the information in the CRL is outdated at the time that the status check occurs.
Also, having to store a separate CRL file on each machine presents other limitations:
- All CRL files must be kept in sync.
- Having a separate CRL file on each machine poses a security risk.
- Multiple CRL files cannot be administered from a central location.
The benefits of OCSP
OCSP ensures that the BIG-IP system always obtains real-time revocation status during the certificate verification process.
OCSP is based on a client/server model. A BIG-IP SSL proxy acts as the OCSP client, and the OCSP server runs on an external system. (The OCSP server is a third-party software application and is therefore not included in the BIG-IP system.)
The external system, known as an OCSP responder, sends certificate revocation status to the SSL proxy. Until the SSL proxy receives this status from the OCSP responder, the proxy blocks the connection. If the OCSP responder rejects the certificate, the proxy denies the connection.
Figure 2.1 shows a basic OCSP implementation in a BIG-IP system configuration.
Figure 2.1 A basic OCSP configuration
How does OCSP on the BIG-IP system work?
Before using OCSP, you must configure the OCSP client and the OCSP responder to work together. Configuring OCSP means creating a responder definition on the BIG-IP system, and then associating that responder definition with one or more SSL proxies. A responder definition is a set of data and instructions on the BIG-IP system that the corresponding responder needs when servicing an OCSP client request.
When a client sends a certificate to the BIG-IP system, the SSL proxy first checks that the signer of the certificate is listed in the trusted CAs file. If the certificate is listed, the BIG-IP system then checks to see if the certificate has been revoked. Without OCSP, the BIG-IP system can check revocation status by reading the certificate revocation list (CRL), if the CRL option is configured on the SSL proxy. With OCSP, however, the BIG-IP system bypasses the CRL and sends a revocation status request to the appropriate OCSP responder.
The BIG-IP system chooses the OCSP responder by checking the CA specified in the Issuer field of the original client certificate. The BIG-IP system then attempts to match that CA with a CA listed in the responder definitions associated with that SSL proxy. The responder definition that the BIG-IP system uses is a definition listed in the OCSP responder list option of the SSL proxy.
If a match exists, the BIG-IP system checks the target URL within the client certificate's AuthorityInfoAccess (AIA) field, if the field exists. The BIG-IP system then uses that URL, unless the Ignore AIA parameter is enabled within the responder definition. In this case, the BIG-IP system uses the URL specified in the Responder URL parameter of the matching responder definition to send the request for certificate revocation status.
If no match exists, the BIG-IP system checks the Responder CAs parameter of another responder defined in the SSL proxy. If all responder definitions are checked and no match is found, the certificate verification fails and the BIG-IP system denies the client request.
Configuring OCSP
Using the BIG-IP system, you can create OCSP responder definitions that correspond to various responders. The BIG-IP system stores responder definitions in the bigip.conf file. Figure 2.2 shows an example of a responder definition.
responder my_responder { url "http://192.168.103.155:8080/" calist file /config/bigconfig/ssl.crt/cacerts.crt respcert file /config/bigconfig/ssl.crt/VAfile.crt signcert /config/bigconfig/ssl.crt/sign.crt signkey /config/bigconfig/ssl.key/sign.key req sign digest sha1 req certid digest sha1 ignore aia enable trust signer disable valperiod 120 } |
Figure 2.2 Sample responder definition in the bigip.conf file
A single responder definition can target a specific responder, or multiple responder definitions can target the same responder. The only unique attribute is the responder name. Each responder itself is associated with a certificate authority (CA), and multiple responders can be associated with the same CA.
Figure 2.3 shows this scenario, where responders 1 and 2 are associated with CA 1, but responder 3 is associated with CA 2.
Figure 2.3 Relationship of responders to CAs
Once you have created all of your responder definitions, you can configure an SSL proxy to use one or more specific responder definitions when processing requests over SSL.
There are two tasks required for configuring OCSP. The first task is to create the OCSP responder definition. The second task is to configure the SSL proxy's OCSP responder list option. This option allows you to specify the OCSP responder definitions that the proxy will use to obtain revocation status.
Creating an OCSP responder definition
To fully implement a responder definition on the BIG-IP system, you must define a set of parameter values. You configure these parameters through the bigpipe responder command. Table 2.1 lists and describes the configurable parameters for a responder definition.
|
Parameter |
Description |
Keyword |
Data type |
Valid values |
Default |
|---|---|---|---|---|---|
|
Responder name |
A name that identifies a responder definition. This parameter is required. |
responder |
String |
N/A |
Empty string |
|
Responder CAs |
An X509 store containing the certificates of the certificate authorities (CAs) that are to be serviced by this particular responder. The CAs in this store must match the issuer of the certificate currently being validated with OCSP. The match is determined by inspecting the subject field of the issuing certificate. You populate this store by specifying a bundle-type .crt file, which contains all necessary CA certificates. This parameter is required. |
calist file |
String |
N/A |
Empty string |
|
Responder URL |
The URL used to contact the OCSP service on the responder. This parameter is required. |
url |
String |
Valid URL format |
Empty string |
|
Validity period |
A number of seconds that is used to specify an acceptable error range. This parameter is used when the OCSP responder clock and a client clock are not synchronized, which could cause a certificate status check to fail. This value must be a positive number. This parameter is required. |
valperiod |
Integer |
0 to MAX |
300 |
|
Responder certificate |
A certificate that verifies the signature of the response from the responder. This parameter is needed in the event that the responder is not covered by the certificates already loaded into the responder's CA store. This parameter is optional. |
respcert file |
String |
N/A |
Empty string |
|
Request signing certificate and request signing key |
A certificate and key used to sign an OCSP request. Special meanings: If the certificate is specified but the key is not specified, then the private key is read from the same file as the certificate. If neither the certificate nor the key is specified, then the request is not signed. If the certificate is not specified and the key is specified, then the configuration is considered to be invalid. This parameter is optional. |
sign cert and sign key |
Strings |
N/A |
Empty string |
|
Request signing digest algorithm |
The algorithm for signing the request, using the signing certificate and key. Special meanings: This parameter has no meaning if request signing is not in effect (that is, both the request signing certificate and request signing key parameters are empty). This parameter is required only when request signing is in effect. |
req sign digest |
String |
md5 | sha1 |
sha1 |
|
Request CertID digest algorithm |
The algorithm for hashing the certificate information used to create the certificate ID that is sent to the responder. This parameter is optional. |
req certid digest |
String |
md5 | sha1 |
sha1 |
|
Ignore AIA |
An instruction to ignore the URL contained in the certificate's AIA fields and to always use the URL specified by the responder instead, Special meanings: If not defined, this value is assumed to be zero (0). This parameter is optional. |
ignore aia |
String |
enable | disable |
disable |
|
Explicit trust of the response signer |
An instruction to: Search the SSL proxy's list of trusted CAs for the certificate used to sign the response. Refrain from constructing a chain. Special meanings: If not defined, this value is assumed to be zero (0). This parameter is optional. |
trust signer |
String |
enable | disable |
disable |
To create a responder definition
Use the following bigpipe responder command syntax to create an OCSP responder definition.
b responder <name> [calist file <filename>]
[url <url>]
[valperiod <number>]
[respcert file <filename>]
[signcert file <filename>]
[signkey file <filename>]
[req sign digest (sha1 | md5)]
[req certid digest (sha1 | md5)]
[ignore aia (enable | disable)]
[trust signer (enable | disable)]
To view responder definition parameters
Use the following commands, specifying a responder name, to show responder parameter values.
b responder <name> calist file [show]
b responder <name> url [show]
b responder <name> valperiod [show]
b responder <name> respcert file [show]
b responder <name> signcert file [show]
b responder <name> signkey file [show]
b responder <name> req sign digest [show]
b responder <name> req certid digest [show]
b responder <name> ignore aia [show]
b responder <name> trust signer [show]
Configuring the SSL proxy
Once you have created one or more OCSP responder definitions, you need to specify which responder definition the SSL proxy should use when it responds to the BIG-IP system's request for certificate revocation status. You do this by using the bigpipe proxy command to configure the OCSP responder list option.
If the OCSP responder list option is not configured on the SSL proxy, then the certificate is automatically validated.
Table 2.2 describes the OCSP responder list option.
|
SSL proxy option |
Description |
Keyword |
Data type |
Valid values |
Default |
|---|---|---|---|---|---|
|
OCSP responder list |
A list of OCSP responder definitions. Special meanings: If one or more responders are listed, then OCSP validation is enabled. This parameter is optional. |
ocsp responders |
String |
N/A |
Empty string |
After you have configured the OCSP responder list option, and the BIG-IP system has received certificate revocation status from a responder, the SSL proxy inserts a certificate status header into the original client request. Note that the SSL proxy only inserts this header when previously configured to insert headers into client requests. (For more information on configuring this option, see the BIG-IP Reference Guide ).
The name of the certificate status header is SSLClientCertificateStatus. Like other certificate-related headers that the proxy inserts into a request, the SSLClientCertificateStatus header is most useful when the proxy is configured to request, but not require, certificates. For more information on configuring the SSL proxy, see the BIG-IP Reference Guide .
To configure the SSL proxy for OCSP validation
Use the following bigpipe proxy command syntax to configure the OCSP responder list option.
b proxy <ip addr>:<service> [ocsp responders <list of responders>]
To display a list of existing OCSP responders
Use the following bigpipe proxy command syntax to display a list of existing OCSP responders.
proxy <ip addr>:<service> ocsp responders [show]
The BIG-IP system allows you to enable both the CRL and the OCSP options on the SSL proxy. Most users need to enable either one or the other, but not both. However, in the rare case that you want to enable both options, be aware that both the search of the CRL file and the connection to the responder must be successful. Otherwise, the BIG-IP system fails to obtain status.
