Revocation Checking of Server Certificates
via OCSP
In addition to checking the server certificate‘s validity (signatures, expiration date,
uses), the switch also checks the revocation status of each certificate in the chain
using the Online Certificate Status Protocol (OCSP).
The following rules are enforced:
- The location of the OSCP server must
be embedded in the certificate being verified. If missing, the certificate will not
be trusted.
- If the OCSP server is not reachable,
the certificate will not be trusted.
- If the OSCP server reports that the
certificate has been revoked, the certificate will not be trusted.
- Every certificate in the chain will
be revocation checked (except for the Root certificate, which is not revokable by
definition).
- The OCSP response must be signed. The
switch supports all three OCSP trust models:
- Common Issuer: CA that signs
cert also signs OSCP response
- Trusted Responder Model
(TRM): OCSP response signed by a self-signed certificate that is trusted by
the switch for this purpose
- Delegated Trust Model (DTM):
CA that signs cert issues the CA that signs OCSP response