Filter
Top Products
DellPowerConnectW-SeriesArubaOS6.2 | User Guide CertificateRevocation | 228
Chapter 16
Certificate Revocation
The Certificate Revocation feature enables the ArubaOS controller to perform real-time certificate revocation
checks using the Online Certificate Status Protocol (OCSP) or traditional certificate validation using the Certificate
Revocation List (CRL) client.
Topics in this chapter include:
l "Understanding OCSP and CRL" on page 228
l "Configuring the Controller as a CRL Client" on page 230
l "Configuring the Controller as an OCSP Responder " on page 231
l "Configuring the Controller as an OCSP Client" on page 229
Understanding OCSP and CRL
OCSP (RFC 2560) is a standard protocol that consists of an OCSP client and an OCSP responder. This protocol
determines revocation status of a given digital public-key certificate without having to download the entire CRL.
CRL is the traditional method of checking certificate validity. A CRL provides a list of certificate serial numbers
that have been revoked or are no longer valid. CRLs let the verifier check the revocation status of the presented
certificate while verifying it. CRLs are limited to 512 entries.
Configuring a Controller as OCSP and CRL Clients
The ArubaOS controller can act as an OCSP client and issues OCSP queries to remote OCSP responders located on
the intranet or Internet. As many applications in ArubaOS (such as IKE), use digital certificates, a protocol such as
OCSP needs to be implemented for revocation.
An entity that relies on the content of a certificate (a relying party) needs to do the checking before accepting the
certificate as being valid. One check verifies that the certificate has not been revoked. The OCSP client retrieves
certificate revocation status from an OCSP responder. The responder may be the CA (Certificate Authority) that
has issued the certificate in question or it may be some other designated entity which provides the service on behalf
of the CA. A
revocation checkpoint
is a logical profile that is tied to each CA certificate that the controller has
(trusted or intermediate). Also, the user can specify revocation preferences within each profile.
The OCSP request is not signed by the Dell OCSP client at this time. However, the OCSP response is always signed
by the responder.
Both OCSP and CRL configuration and administration is usually performed by the administrator who manages the
web access policy for an organization.
In small networks where there are is no Internet connection or connection to an OCSP responder, CRL is better
option than OCSP.
Configuring an OCSP Controller as a Responder
The ArubaOS controller can be configured to act as an OCSP responder (server) and respond to OCSP queries from
clients that are trying to obtain revocation status of certificates.