Enabling Certificate Revocation Checking

Certificate revocation checking uses OCSP to determine whether a certificate, presented by the SSH client to the SSH server and bound to the public key and password, has been revoked by the CA prior to its expiration date.

A Certificate Authority (CA) may need to revoke an issued certificate‘s authorization prior to the issued certificate‘s expiration date. Some reasons for revocation include:

  • The user was compromised (keyCompromise)
  • A CA in the chain was compromised (cACompromise)
  • A newer certificate was issued (superseded)

When OCSP is disabled, checking is not performed and the revocation status of all certificates is assumed to be good (not revoked).

When OCSP is enabled, the switch will attempt to obtain revocation status from one of the available OCSP Responders (OCSRs). If an OCSR replies with a revocation status of good, certificate chain verification will resume. If an OCSR replies with a request failure or with a certificate revocation status other than good (revoked or unknown), certificate authentication will fail. Request failures can be:

  • Malformed Request
  • OCSR Internal Error
  • Try Later
  • Signature Required
  • Unauthorized

If the queried OCSR cannot be reached or does not reply, an alternate OCSR will be queried. If the list of available OCSRs is exhausted, revocation checking as well as certificate verification will be declared a failure.

The certificate used to sign an OCSR response must itself be successfully verified and revocation checked. Any verification failure or revocation of the OCSP signing certificate will be treated as an authentication failure of the user certificate.

At this time, only the leaf certificate in a user certificate chain will have its revocation status checked. It is assumed that if one of intermediate or root CA certificates in the chain has been revoked, then the OCSP Responder will not return “successful” when the user certificate is queried.

Use the set pki ocsp command to globally enable or disable OCSP certificate revocation checking.

This example shows how to disable OCSP certificate revocation checking on the device:

System(su)->set pki ocsp disable
System(rw)->