There are two ways of checking certificate revocation in client authentication:
-
Using OSCP (nCLI)
-
Using CRL- Certificate revocation lists (nCLI)
-
OCSP is the recommended method for checking certificate revocation in client authentication. You can enable certificate revocation checking using the OSCP method through the command line interface (nCLI).
What is OCSP ?
The Online Certificate Status Protocol is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate.
How does OCSP Work?
When a user requests the validity of a certificate, an OCSP request is sent to an OCSP Responder. This checks the specific certificate with a trusted certificate authority and an OCSP response is sent back with a response of either 'good', 'revoked' or 'unknown'
To enable certificate revocation checking using OCSP for client authentication, do the following.
Procedure
-
Set the OCSP responder URL.
ncli authconfig set-certificate-revocation set-ocsp-responder=<ocsp url><ocsp url> indicates the location of the OCSP responder.
-
Verify if OCSP checking is enabled.
ncli authconfig get-client-authentication-config
The expected output if certificate revocation checking is enabled successfully is as follows.
Auth Config Status: true
File Name: ca.cert.pem
OCSP Responder URI: http://<ocsp-responder-url>
2) You can use the CRL certificate revocation checking method if required, as described in this section.
To enable certificate revocation checking using CRL for client authentication, do the following.
Procedure
Specify all the CRLs that are required for certificate validation.
ncli authconfig set-certificate-revocation set-crl-uri=<uri 1>,<uri 2> set-crl-refresh-interval=<refresh interval in seconds>
-
The above command resets any previous OCSP or CRL configurations.
-
The URIs must be percent-encoded and comma separated.
-
The CRLs are updated periodically as specified by the crl-refresh-interval value. This interval is common for the entire list of CRL distribution points. The default value for this is 86400 seconds (1 day).
Note: OSCP is the recommended method for checking certificate revocation in client authentication.
Portal Security guide reference: