Embed Size (px)
Citation preview
OCSP Response Stapling
The OCSP Response Stapling feature allows you to check the validity of a peer's user or device credentialscontained in a digital certificate using Online Certificate Status Protocol (OCSP).
• Finding Feature Information, page 1
• Information About OCSP Response Stapling, page 1
• How to Configure OCSP Response Stapling, page 2
• Additional References for OCSP Response Stapling, page 6
• Feature Information for OCSP Response Stapling, page 8
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About OCSP Response Stapling
Overview of OCSP Response StaplingOnline Certificate Status Protocol (OCSP) is a method to check certificate revocation when a peer has toretrieve this revocation information and then validate it to check the certificate revocation status. In thismethod, the certification revocation status is limited by the peer's ability to reach an OCSP responder throughthe cloud or by the certificate sender's performance in retrieving the certificate revocation-information.
OCSP response stapling supports a new method to fetch the OCSP response for a device’s own certificates.This feature allows the device to obtain its own certificate revocation information by contacting the OCSP
Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT 1
server and then sending this result along with its certificates directly to the peer. As a result, the peer does notrequire to contact the OCSP responder.
How to Configure OCSP Response Stapling
Configuring PKI Client to Request EKU AttributePerform this task to configure OCSP (Online Certificate Status Protocol) response stapling.
SUMMARY STEPS
1. enable2. configure terminal3. crypto pki trustpoint name4. ocsp url url5. eku request attribute6. match eku attribute7. revocation-check method1 [method2 [method3]]8. exit9. exit10. show cry pki counters
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enable
Example:Device> enable
Step 1
1 Enter your password if prompted.
Enters global configuration mode.configure terminal
Example:Device# configure terminal
Step 2
Declares the trustpoint and a given name and enters ca-trustpointconfiguration mode.
crypto pki trustpoint name
Example:
Device(config)# crypto pki trustpointmsca
Step 3
The url argument specifies the URL of an OCSP server so that thetrustpoint can check the certificate status. This URL overrides the URL
ocsp url url
Example:
Device(ca-trustpoint)# ocsp urlhttp://ocsp-server
Step 4
of the OCSP server (if one exists) in the Authority Info Access (AIA)extension of the certificate. All certificates associated with a configured
Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT2
OCSP Response StaplingHow to Configure OCSP Response Stapling
PurposeCommand or Action
trustpoint are checked by the OCSP server. The URL can be a hostname,IPv4 address, or an IPv6 address.Example:
Device(ca-trustpoint)# ocsp urlhttp://10.10.10.1:80
Example:
Device(ca-trustpoint)# ocsp urlhttp://[2001DB8:1:1::2]:80
Requests to include specified eku attribute in the certificate. This request,when configured on the PKI client, will be sent to the CA server duringenrollment.
eku request attribute
Example:
Device(ca-trustpoint)# eku requestssh-client
Step 5
The attribute argument can be one of the following:
• client-auth
• code-signing
• email-protection
• ipsec-end-system
• ipsec-tunnel
• ipsec-user
• ocsp-signing
• server-auth
• time-stamping
• ssh-server
• ssh-client
Allows PKI to validate a peer certificate only if the specified attribute ispresent in the certificate else validation fails.
match eku attribute
Example:
Device(ca-trustpoint)# match ekuclient-auth
Step 6
The attribute argument can be one of the following:
• client-auth
• code-signing
• email-protection
• ipsec-end-system
• ipsec-tunnel
• ipsec-user
• ocsp-signing
• server-auth
Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT 3
OCSP Response StaplingConfiguring PKI Client to Request EKU Attribute
PurposeCommand or Action
• time-stamping
• ssh-server
• ssh-client
(Optional) Checks the revocation status of a certificate.revocation-check method1 [method2[method3]]
Step 7
• crl --Certificate checking is performed by a CRL. This is the defaultoption.
Example:
Device(ca-trustpoint)#revocation-check ocsp none
• none --Certificate checking is ignored.
• ocsp --Certificate checking is performed by an OCSP server.
If a second and third method are specified, eachmethod will be used onlyif the previous method returns an error, such as a server being down.
Exits ca-trustpoint configurationmode and returns to global configurationmode.
exit
Example:
Device(ca-trustpoint)# exit
Step 8
Returns to privileged EXEC mode.exit
Example:
Device(config)# exit
Step 9
(Optional) Displays the PKI counters of the device.show cry pki counters
Example:
Device# show cry pki counters
Step 10
Configuring PKI Server to Include EKU AttributesPerform this task to configure OCSP (Online Certificate Status Protocol) response stapling.
Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT4
OCSP Response StaplingConfiguring PKI Server to Include EKU Attributes
SUMMARY STEPS
1. enable2. configure terminal3. ip http server4. crypto pki server cs-label5. eku request attribute6. exit7. exit8. show crypto pki counters
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode.enable
Example:Device> enable
Step 1
1 Enter your password if prompted.
Enters global configuration mode.configure terminal
Example:Device# configure terminal
Step 2
Enables the HTTP server on your system.ip http server
Example:
Device(config)# ip http server
Step 3
Defines a label for the certificate server and enters certificate serverconfiguration mode.
If you manually generated an RSA key pair, the cs-labelargument must match the name of the key pair.
Note
crypto pki server cs-label
Example:
Device(config)# crypto pki serverserver-pki
Step 4
Requests to include specified eku attribute in the certificate.eku request attributeStep 5
Example:
Device(cs-server)# eku request ssh-server
The attribute argument can be one of the following:
• client-auth
• code-signing
• email-protection
• ipsec-end-system
• ipsec-tunnel
• ipsec-user
• ocsp-signing
Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT 5
OCSP Response StaplingConfiguring PKI Server to Include EKU Attributes
PurposeCommand or Action
• server-auth
• time-stamping
• ssh-server
• ssh-client
Exits cs-server configuration mode and returns to globalconfiguration mode.
exit
Example:
Device(cs-server)# exit
Step 6
Returns to privileged EXEC mode.exit
Example:
Device(config)# exit
Step 7
(Optional) Displays the PKI counters of the device.show crypto pki counters
Example:
Device# show crypto pki counters
Step 8
The following is sample output from the show crypto pki counters.Device# show crypto pki counters
PKI Sessions Started: 0PKI Sessions Ended: 0PKI Sessions Active: 0Successful Validations: 0Failed Validations: 0Bypassed Validations: 0Pending Validations: 0CRLs checked: 0CRL - fetch attempts: 0CRL - failed attempts: 0CRL - rejected busy fetching: 0OCSP – fetch requests: 0OCSP – received responses: 0OCSP – failed attempts: 0OCSP - staple requests: 0AAA authorizations: 0
Additional References for OCSP Response StaplingRelated Documents
Document TitleRelated Topic
Master Command List, All ReleasesCisco IOS commands
Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT6
OCSP Response StaplingAdditional References for OCSP Response Stapling
Document TitleRelated Topic
• Cisco IOS Security CommandReferenceCommandsA to C
• Cisco IOS Security CommandReferenceCommandsD to L
• Cisco IOS Security CommandReferenceCommandsM to R
• Cisco IOS Security CommandReferenceCommandsS to Z
Security commands
Standards and RFCs
TitleStandard/RFC
X.509 Internet Public Key Infrastructure OnlineCertificate Status Protocol - OCSP
RFC 2560
Online Certificate Status Protocol (OCSP) Extensionsto IKEv2
RFC 4806
Internet X.509 Public Key Infrastructure Certificateand Certificate Revocation List (CRL) Profile
RFC 5280
X.509v3 Certificates for Secure Shell AuthenticationRFC 6187
Transport Layer Security (TLS) Extensions: ExtensionDefinitions
RFC 6066
MIBs
MIBs LinkMIB
To locate and downloadMIBs for selected platforms,Cisco IOS releases, and feature sets, use Cisco MIBLocator found at the following URL:
http://www.cisco.com/go/mibs
Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT 7
OCSP Response StaplingAdditional References for OCSP Response Stapling
Technical Assistance
LinkDescription
http://www.cisco.com/supportThe Cisco Support website provides extensive onlineresources, including documentation and tools fortroubleshooting and resolving technical issues withCisco products and technologies.
To receive security and technical information aboutyour products, you can subscribe to various services,such as the Product Alert Tool (accessed from FieldNotices), the Cisco Technical Services Newsletter,and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support websiterequires a Cisco.com user ID and password.
Feature Information for OCSP Response StaplingThe following table provides release information about the feature or features described in this module. Thistable lists only the software release that introduced support for a given feature in a given software releasetrain. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1: Feature Information for OCSP Response Stapling
Feature InformationReleasesFeature Name
This feature allows you to checkthe validity of a peer’s user ordevice credentials contained in adigital certificate using OnlineCertificate Status Protocol (OCSP).
15.5(1)TOCSP Response Stapling
Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT8
OCSP Response StaplingFeature Information for OCSP Response Stapling
