Online Certificate Status Protocol (OCSP)
What is OCSP?
The Online Certificate Status Protocol (OCSP) is an alternative to the certificate revocation list (CRL) and is used to check whether a digital certificate is valid or if it has been revoked.
The OCSP is an Internet Protocol (IP) that certificate authorities (CAs) use to determine the status of secure sockets layer/transport layer security (SSL/TLS) certificates, which are common applications of X.509 digital certificates. This helps web browsers check the status and validity of Hypertext Transfer Protocol Secure (HTTPS) websites.
What is a Certificate Authority?
CAs are central to issuing and managing digital certificates, ensuring secure communications, and verifying user identities. They do this through the public key infrastructure (PKI) X.509 certificate, which contains information like the owner’s name and public key, the name of the issuing CA, the certificate’s validity date, and what it can be used for.
CAs provide a digital signature to prevent this information from being modified, then use a private key to verify a digital certificate. Anyone who has that public key can use it to generate a signature on the certificate signing request (CSR).
Why Is Certificate Revocation Important?
Digital certificates are vital to guaranteeing trust on the internet, like a digital identification card for websites. A web browser requires any HTTPS website to provide a certificate that validates its hostname and a private key. Take note that if an attacker is able to obtain access to a private key, they can impersonate the website.
So certificate revocation is crucial to mitigating vulnerabilities and potential key compromise. The website's owner can revoke a certificate by informing the issuer that the certificate should not be trusted. A good example of this is Cloudflare revoking all managed certificates when the Heartbleed vulnerability was found capable of stealing private keys.
How Does OCSP Work?
When a certificate validity request is made, an OCSP request is submitted to an OCSP responder, which is a server operated by the issuing CA. The OCSP responder checks the request’s validity with a trusted CA, which advises whether the certificate is valid or not, with a response of current, revoked, or unknown. Most popular, widely used web browsers support OCSP, including Apple Safari, Internet Explorer, Microsoft Edge, and Mozilla Firefox.
OCSP and CRL
Web browsers use several methods to check if a site’s certificate has been revoked. OCSP and CRL are two of the most common. A CRL is a list containing serial numbers of all certificates that have been revoked by a CA. However, CRLs can present issues, as they can become outdated and have to be downloaded.
OCSP security is a protocol used to discover the revocation status of a certificate and contains signatures that assert a certificate has not been revoked. This makes it a more effective and efficient validation process, as it does not require a list to be downloaded to discover the status of a certificate.
OCSP checking does cause problems of its own, including increasing costs for CAs and concerns around privacy. For example, live OCSP checking can leak private browsing data, as requests are sent on unencrypted Hypertext Transfer Protocol (HTTP) traffic and tied to specific certificates. Therefore, sending a request tells a CA which websites a user visits, and anyone on the network path between their browser and the OCSP will see the sites they visit. It can also create browser performance issues, such as slow browsing experiences caused by third parties confirming the validity of a certificate.
Some of these issues can be addressed through OCSP stapling, a technique that delivers revocation information to browsers. The certificate stapling process involves a current OCSP response being stapled into the HTTPS connection. This requires less traffic between the server and the browser, which then no longer has to request the OCSP itself.
How Certificate Management Fits Into Network Security
Certificate management is crucial to creating, storing, and revoking digital certificates. It can be provided through the Fortinet identity and access management (IAM) solution, which allows organizations to confirm the identity of their devices and users as they enter a network. This ensures that organizations can securely connect only the right users to only the resources they should have access to.
The Fortinet solution includes the FortiAuthenticator, which provides access management, authentication, and single sign-on (SSO) to prevent unauthorized access to networks and limits users to only access the right resources. This is key to creating effective security policies, protecting sensitive data and networks, and providing appropriate access control levels.