Configuring the certificate revocation check
The Online Certificate Status Protocol (OCSP) is a security protocol used to verify the revocation status of an SSL/TLS digital certificate.
This protocol allows you to verify the validity of a digital certificate in real time, without having to rely on a certificate revocation list (CRL).
- _BESGather_OcspVerify
- _BESRelay_Download_OcspVerify
The OCSP algorithm provides a server, called OCSP responder, reporting the certificate status. Depending on the remote HTTPs server configuration, the OCSP responder may be contacted directly by the HTTPs server (OCSP Stapling); otherwise the application client must directly contact the OCSP responder.
When OCSP is enabled, the BigFix Server adds the option to the HTTPs request to ask the HTTPs server to use OCSP stapling; the request can:
- succeed (the certificate is not revoked)
- fail for a reason which does not depend on the OCSP check
- fail because the certificate has been revoked
- fail because the HTTPs Server is not configured for OCSP stapling.
In this last scenario, the BigFix Server directly contacts the OCSP responder to ask for the revocation status; if the certificate results as not revoked, the HTTPs request is tried again without the OCSP check.
The OCSP responder URL is reported in the HTTPs Server certificate inside the Authority Information Access extension. If this extension is missing, the OCSP check is skipped and the certificate is considered valid (not revoked).
The OCSP check is also skipped when downloading from a server with a trusted Self Signed certificate, as described in Customizing HTTPS for downloads.
If an intermediate certificate has been revoked, the request fails as if the Server certificate had been revoked.
If the BigFix Server cannot contact the OCSP responder for connection problems or other, the request fails.
When the revocation status is certain (both valid or invalid), the status is cached for 6 hours, so the OCSP check is not performed during this time interval.