OCSP and CRL Check Behavior on NetScaler

This article contains information about the NetScaler behavior after configuring both Online Certificate Status Protocol (OCSP) check and Certificate Revocation List (CRL) check at the SSL virtual server level.

Requirements

You need to know how to configure OSCP and CRL check. Refer to the following links for more information on OCSP and CRL check configuration:

Behavior of OCSP and CRL Check Configuration

The following list describes how the OCSP and CRL check configuration functions:

  • If OCSPcheck parameter is set as mandatory, CRLcheck parameter will not be effective even if it is optionally enabled internally.

  • If CRL check is mandatory, then CRL check will be effective even if OCSP is configured.

  • Both OCSP and CRL check cannot be set as mandatory.

Set OCSP and CRL Check as Optional

Run the following command to configure OCSP or CRL check parameters as optional:

set ssl vserver vs1 –clientcert mandatory –clientauth enabled

bind ssl vserver vs1 -certkeyName ca_cert -CA -ocspCheck Optional


OR

bind ssl vserver vs1 -certkeyName ca_cert -CA -crlCheck Optional

Note: You can only use either ocspcheck or crlcheck parameter at any one point. Enabling both parameter is not supported.

The following list provides the sequence of action that occur when OCSP and CRL check is set as optional:

  1. If OCSP responder is available and certificate is revoked, then the handshake fails.

  2. If OCSP responder is available and certificate is current, then the handshake succeeds.

  3. If OCSP responder is not configured, then it applies CRL check.

  4. If CRL is available and certificate is revoked, then the handshake fails.

  5. If CRL is available and certificate is current, then the handshake succeeds.

  6. Handshake fails if CRL is available but succeeds when CRL is missing and CRL check is set as optional. Handshake can only fail if CRL is missing and CRL check is set as mandatory.

The following table illustrates the result of a handshake with a client when using a revoked certificate:

Rule for CRL Check

Rule for Client Certificate Check

State of the CRL Configured for CA Certificate

Result of a Handshake with a Revoked Certificate

Optional

Optional

Missing

Success

Optional

Mandatory

Missing

Success

Optional

Mandatory

Present

Failure

Mandatory

Optional

Missing

Success

Mandatory

Mandatory

Missing

Failure

Mandatory

Optional

Present

Success

Mandatory

Mandatory

Present

Failure

Optional/Mandatory

Optional

Expired

Success

Optional/Mandatory

Mandatory

Expired

Failure

Related:

  • No Related Posts

Leave a Reply