Revocation Checking of Server Certificates via OCSP

In addition to checking the server certificate‘s validity (signatures, expiration date, uses), the switch also checks the revocation status of each certificate in the chain using the Online Certificate Status Protocol (OCSP).

The following rules are enforced:

The location of the OSCP server must be embedded in the certificate being verified. If missing, the certificate will not be trusted.
If the OCSP server is not reachable, the certificate will not be trusted.
If the OSCP server reports that the certificate has been revoked, the certificate will not be trusted.
Every certificate in the chain will be revocation checked (except for the Root certificate, which is not revokable by definition).
The OCSP response must be signed. The switch supports all three OCSP trust models:
- Common Issuer: Certificate Authority (CA) that signs cert also signs OSCP response
- Trusted Responder Model (TRM): OCSP response signed by a self-signed certificate that is trusted by the switch for this purpose
- Delegated Trust Model (DTM): CA that signs cert issues the CA that signs OCSP response

Beginning with ExtremeXOS 31.6, you can configure RADIUS over TLS OCSP attributes (nonce, override, and ocsp-nocheck, respectively) using the following commands:

configure radius tls ocsp nonce [on | off]
configure radius tls ocsp override [url | none]
configure radius tls ocsp signer ocsp-nocheck [on | off]

OCSP nonce cryptographically binds an OCSP request and an OCSP response with an id-pkix-ocsp-nonce extension to prevent replay attacks.

OCSP override configures one HTTP Online Certificate Status Protocol (OSCP) override URL for a RADIUS TLS server.

When OCSP-nocheck is done for a peer certificate, ExtremeXOS sends the OCSP request to the OCSP server. The OCSP response is signed by the OCSP responder/signer. The response also comes along with the certificate of the OCSP signer. When ExtremeXOS receives the response, it only checks whether the status of the peer certificate is not revoked.