Table Of Contents
Online Certificate Status Protocol (OCSP)
Restrictions for Online Certificate Status Protocol (OCSP)
Information About Online Certificate Status Protocol (OCSP)
OCSP Server: Pushing and Polling Revocation Consideration
Verifying Certificate Information
Configuration Examples for OCSP Server
OCSP Server Configuration Example
CRL Then OCSP Server Configuration Example
Specific OCSP Server Configuration Example
Online Certificate Status Protocol (OCSP)
The Online Certificate Status Protocol (OCSP) feature allows users to enable OCSP instead of certificate revocation lists (CRLs) to check certificate status. Unlike CRLs, which provide only periodic certificate status, OCSP can provide timely information regarding the status of a certificate.
Feature History for Online Certificate Status Protocol (OCSP)
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Restrictions for Online Certificate Status Protocol (OCSP)
•
•
Restrictions for Online Certificate Status Protocol (OCSP)
•
•
Information About Online Certificate Status Protocol (OCSP)
To configure an OCSP server to check certificate status, you should understand the following concept:
OCSP Benefits
•
•
How to Use OCSP
This section contains the following procedures:
•
Configuring an OCSP Server
Use this task to configure your router for OCSP to check certificate status.
OCSP Server: Pushing and Polling Revocation Consideration
An OCSP server usually operates in either push or poll mode. You can configure a CA server to push revocation information to an OCSP server or configure an OCSP server to periodically download (poll) a CRL from the CA server. To ensure that timely certificate revocation status is obtained, you should carefully consider the "push and poll" interval.
Prerequisites
When configuring an OCSP server to return the revocation status for a CA server, the OCSP server must be configured with an OCSP response signing certificate that is issued by that CA server. Ensure that the signing certificate is in the correct format, or the router will not accept the OCSP response. Refer to your OCSP manual for additional information.
The following is a sample OCSP response certificate signing. Note that the extensions are in bold.
Certificate:Data:Version: v3Serial Number:0x14Signature Algorithm:MD5withRSA - 1.2.840.113549.1.1.4Issuer:CN=CA server,OU=PKI,O=Cisco SystemsValidity:Not Before:Thursday, August 8, 2002 4:38:05 PM PSTNot After:Tuesday, August 7, 2003 4:38:05 PM PSTSubject:CN=OCSP server,OU=PKI,O=Cisco SystemsSubject Public Key Info:Algorithm:RSA - 1.2.840.113549.1.1.1Public Key:Exponent:65537Public Key Modulus:(1024 bits) :<snip>Extensions:Identifier:Subject Key Identifier - 2.5.29.14Critical:noKey Identifier:<snip>Identifier:Authority Key Identifier - 2.5.29.35Critical:noKey Identifier:<snip>Identifier:OCSP NoCheck:- 1.3.6.1.5.5.7.48.1.5Critical:noIdentifier:Extended Key Usage:- 2.5.29.37Critical:noExtended Key Usage:OCSPSigningIdentifier:CRL Distribution Points - 2.5.29.31Critical:noNumber of Points:1Point 0Distribution Point:[URIName:ldap://CA-server/CN=CA server,OU=PKI,O=Cisco Systems]Signature:Algorithm:MD5withRSA - 1.2.840.113549.1.1.4Signature:<snip>SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Verifying Certificate Information
To verify certificate and trustpoint information, perform the following optional steps.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Configuration Examples for OCSP Server
The following section provides configuration examples that show alternate ways to configure your router for certificate checking:
•
•
•
OCSP Server Configuration Example
The following example shows how to configure the router to use the OCSP server that is specified in the AIA extension of the certificate:
Router(config)# crypto pki trustpoint mytpRouter(ca-trustpoint)# revocation-check ocspCRL Then OCSP Server Configuration Example
The following example shows how to configure the router to download the CRL from the CRL distribution point (CDP); if the CRL is unavailable, the OCSP server that is specified in the AIA extension of the certificate will be used. If both options fail, certificate verification will also fail.
Router(config)# crypto pki trustpoint mytpRouter(ca-trustpoint)# revocation-check crl ocspSpecific OCSP Server Configuration Example
The following example shows how to configure your router to use the OCSP server at the HTTP URL "http://myocspserver:81." If the server is down, revocation check will be ignored.
Router(config)# crypto pki trustpoint mytpRouter(ca-trustpoint)# ocsp url http://myocspserver:81Router(ca-trustpoint)# revocation-check ocsp noneAdditional References
The following sections provide references related to OCSP.
Related Documents
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
RFC 2560
X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
Technical Assistance
Command Reference
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.
ocsp url
To specify the URL of an online certificate status protocol (OCSP) server to override the OCSP server URL (if one exists) in Authority Info Access (AIA) extension of the certificate, use the ocsp url command in ca-trustpoint configuration mode. To disable the OCSP server, use the no form of this command.
ocsp url url
no ocsp url url
Syntax Description
url
All certificates associated with a configured trustpoint will be checked by the OCSP server at the specified HTTP URL.
Defaults
Uses the OCSP server URL in AIA extension of the certificate. If a URL does not exist, revocation check will fail.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
A central OCSP server can be configured to collect and update certificate revocation lists (CRLs) from different certification authority (CA) servers. Thus, the devices within the network can rely on the OCSP server to check the certificate status without retrieving and caching each CRL for every device.
If the url option is not enabled, the certificate will be checked by the OCSP server in the Authority Info Access (AIA) extension of the certificate.
Examples
The following example shows how to configure your router to use the OCSP server at the HTTP URL "http://myocspserver:81." If the server is down, revocation check will be ignored.
Router(config)# crypto pki trustpoint mytpRouter(ca-trustpoint)# ocsp url http://myocspserver:81Router(ca-trustpoint)# revocation-check ocsp noneRelated Commands
crypto pki trustpoint
Declares the CA that your router should use.
revocation-check
Checks the revocation status of a certificate.
revocation-check
To check the revocation status of a certificate, use the revocation-check command in ca-trustpoint configuration mode. To disable this functionality, use the no form of this command.
revocation-check method1 [method2[method3]]
no revocation-check method1 [method2[method3]]
Syntax Description
Defaults
After a trustpoint is enabled, the default is set to revocation-check crl, which means that CRL checking is mandatory.
Command Modes
Ca-trustpoint configuration
Command History
12.3(2)T
This command was introduced. This command replaced the crl best-effort and crl optional commands.
Usage Guidelines
Use the revocation-check command to ensure that the certificate of a peer has not been revoked.
If your router does not have the applicable CRL and is unable to obtain one or if the OCSP server returns an error, your router will reject the certificate of the peer—unless you include the none keyword in your configuration. If you use the none keyword, your router will check the CRL if it is cached in the router memory, but it will not download the CRL from the CRL distribution point (CDP). If the none keyword is configured and a CRL is not available, the certificate will always be accepted. If the revocation-check none command is configured, you cannot manually download the CRL via the crypto pki crl request command because the manually downloaded CRL may not be deleted after it expires. The expired CRL can cause all certificate verifications to be denied.
Note
Also, the crl and none keywords issued together replace the crl best-effort command. If you enter the crl best-effort command, it will be written back as the revocation-check crl none command.Examples
The following example shows how to configure the router to use the OCSP server that is specified in the AIA extension of the certificate:
Router(config)# crypto pki trustpoint mytpRouter(ca-trustpoint)# revocation-check ocspThe following example shows how to configure the router to download the CRL from the CDP; if the CRL is unavailable, the OCSP server that is specified in the Authority Info Access (AIA) extension of the certificate will be used. If both options fail, certificate verification will also fail.
Router(config)# crypto pki trustpoint mytpRouter(ca-trustpoint)# revocation-check crl ocspThe following example shows how to configure your router to use the OCSP server at the HTTP URL "http://myocspserver:81." If the server is down, revocation check will be ignored.
Router(config)# crypto pki trustpoint mytpRouter(ca-trustpoint)# ocsp url http://myocspserver:81Router(ca-trustpoint)# revocation-check ocsp noneRelated Commands
Copyright © 2003 Cisco Systems, Inc. All rights reserved.
