Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsW-3200
361362363364365366367368369370
Dell Networking W-Series ArubaOS 6.4.x| User Guide Certificate Revocation | 365
Chapter 14
Certificate Revocation
The Certificate Revocation feature enables the controller to perform real-time certificate revocation checks
using the Online Certificate Status Protocol (OCSP), or traditional certificate validation using the Certificate
Revocation List (CRL) client.
Topics in this chapter include:
l Understanding OCSP and CRL on page 365
l Configuring the Controller as a CRL Client on page 368
l Configuring the Controller as an OCSP Responder on page 369
l Configuring the Controller as an OCSP Client on page 366
l Certificate Revocation Checking for SSH Pubkey Authentication on page 370
Understanding OCSP and CRL
OCSP (RFC 2560) is a standard protocol that consists of an OCSP client and an OCSP responder. This protocol
determines revocation status of a given digital public-key certificate without downloading the entire CRL.
CRL is the traditional method of checking certificate validity. A CRL provides a list of certificate serial numbers
that have been revoked or are no longer valid. CRLs let the verifier check the revocation status of the
presented certificate while verifying it. CRLs are limited to 512 entries.
Both the Delegated Trust Model and the Direct Trust Model are supported to verify digitally signed OCSP
responses. Unlike the Direct Trust Model, the Delegated Trust Model does not require the OCSP responder
certificates to be explicitly available on the controller.
Configuring a Controller as OCSP and CRL Clients
The controller can act as an OCSP client and issue OCSP queries to remote OCSP responders located on the
intranet or Internet. Since many applications in ArubaOS (such as IKE), use digital certificates, a protocol such as
OCSP needs to be implemented for revocation.
An entity that relies on the content of a certificate (a relying party) needs to check before accepting the
certificate as valid. Once it is verified that the certificate has not been revoked, the OCSP client retrieves
certificate revocation status from an OCSP responder. The responder may be the CA (Certificate Authority) that
has issued the certificate in question, or it may be some other designated entity which provides the service on
behalf of the CA. A revocation checkpoint is a logical profile that is tied to each CA certificate that the controller
has (trusted or intermediate). Also, the user can specify revocation preferences within each profile.
The OCSP request is not signed by the Dell OCSP client at this time. However, the OCSP response is always
signed by the responder.
Both OCSP and CRL configuration and administration is usually performed by the administrator who manages
the web access policy for an organization.
In small networks where there are is no Internet connection or connection to an OCSP responder, CRL is
preferable to than OCSP.