6 February 2011

How To Configure OCSP

© 2011 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=11938

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date Description

2/6/2011 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How To Configure OCSP ).

Contents

Important Information ............................................................................................. 3 How To Configure OCSP ........................................................................................ 5 Before You Start ..................................................................................................... 5 Configuring OCSP .................................................................................................. 6

Creating an OCSP Server Object ........................................................................ 7 Configuring the New OCSP Server .....................................................................10 Formatting the Certificate ...................................................................................12 Configuring the Trusted Root CA Object .............................................................13

Completing the Procedure ................................................................................... 15 Verifying the Procedure........................................................................................ 15

Creating an OCSP Server Object

How To Configure OCSP Page 5

How To Configure OCSP Objective

This document describes how to configure VPN-1 Power/UTM to use OCSP

Supported Versions

VPN-1 NGX up to R71

Supported OS

All

Supported Appliances

Any running VPN-1 Power/UTM NGX or later

Before You Start Related Documentation

VPN Admin Guide

Assumed Knowledge

How to configure Certificate based authentication

Impact on the Environment and Warnings

OCSP performs a real-time check of the certificate status, which means as soon as a certificate is revoked; it will immediately be recognized by the gateway as being revoked. This differs from the default behavior of CRL checking. CRLs are cached by default. Depending on the configuration, there can be a lag between when the certificate was actually revoked by the Certificate Authority, and when the gateway actually recognizes that the certificate has been revoked.

OCSP does not cache any data. A request will be sent from the gateway to the OCSP responder each time the gateway needs to check the status of a certificate. This could have a performance impact under some circumstances if the amount of data being sent between the gateway and OCSP responder is excessive.

One major benefit to using OCSP over CRLs is that a VPN outage can occur under some circumstances if the CRL list grows too large. This potential problem is eliminated when using OCSP.

Creating an OCSP Server Object

Configuring OCSP Page 6

Configuring OCSP

Note – This procedure assumes you have already configured a Trusted Root Certificate Authority object, and the VPN is already functioning using certificates issued by this CA.

In this section:

Creating an OCSP Server Object 7

Configuring the New OCSP Server 10

Formatting the Certificate 11

Configuring the Trusted Root CA Object 13

Creating an OCSP Server Object

Configuring OCSP Page 7

Creating an OCSP Server Object To create an OCSP Server object:

1. Run GuiDBedit and connect it to the SmartCenter server.

Creating an OCSP Server Object

Configuring OCSP Page 8

2. Navigate to: +Managed Objects -> servers.

Creating an OCSP Server Object

Configuring OCSP Page 9

3. Right-click in the upper right-hand pane and click: New...

4. In the Create Object window from the Class pull-down menu, select OCSP_server.

5. In the Object: text box type a name for the object (Example: myOCSPserver).

6. Click OK and the object will be created.

Configuring the New OCSP Server

Configuring OCSP Page 10

Configuring the New OCSP Server To configure the OCSP server object you just created:

1. Using GuiDBedit, in the upper-right hand pane click the OCSP server object you just created. Its attributes are displayed in the lower pane.

Configuring the New OCSP Server

Configuring OCSP Page 11

2. Double-click the Value column in the url field and enter the URL of the OCSP server supplied by the Certificate Authority vendor being used. Click OK.

Note – this should be a standard URL such as: http://someocsp.someCAvendor.com.

3. Double-click the Value column in the Certificate field and enter the OCSP server's certificate data (Base64 encoded DER format).

Formatting the Certificate

Configuring OCSP Page 12

Formatting the Certificate

Note – when viewed in an ASCII viewer, a Base64 encoded DER certificate starts

with "-----BEGIN CERTIFICATE-----" and ends with "-----END

CERTIFICATE-----", containing the certificate data in the middle.

To format a Base64 encoded DER certificate:

1. Open the certificate file in ASCII editor and delete all line breaks, to turn the data into a single, long, line.

2. Open the entire string (including "-----BEGIN CERTIFICATE-----" and "-----END

CERTIFICATE-----") and paste the data into the Value field.

Click OK.

The OCSP Server object is now fully configured.

Configuring the Trusted Root CA Object

Configuring OCSP Page 13

Configuring the Trusted Root CA Object To configure the relevant Trusted Root CA object to use the OCSP server:

1. In the upper-right hand pane of GuiDBedit, click the relevant Root CA object.

2. In the lower pane, double-click the Value column of the OCSP_servers field, and select the OCSP server you just created.

Configuring the Trusted Root CA Object

Configuring OCSP Page 14

3. Double-click the Value column of the "OCSP_validation" field and set it to true.

4. Save the changes in GuiDBedit by clicking: File -> Save All.

5. Close GuiDBedit.

6. Open the SmartDashboard and install the Security Policy.

Note – CRLs will not be fetched for a CA for which OCSP validation has been configured. OCSP responses are not cached.

Configuring the Trusted Root CA Object

Completing the Procedure Page 15

Completing the Procedure Open the SmartDashboard and install the Security Policy.

Verifying the Procedure Enable logging on the rule that allows the VPN-1 gateway to communicate with the OCSP responder

(May be an implied rule or explicit rule) and verify that the gateway is communicating with the OCSP responder every time a certificate is validated by the gateway.

A more conclusive way to verify that OCSP is working is to enable a VPN debug as such:

vpn debug on OCSP=5

This will cause the VPN daemon to write OCSP debug prints to $FWDIR/log/vpnd.elg

To turn off the debug run: vpn debug off