Revocation Checking of Server Certificates via OCSP
In addition to checking the server certificate‘s validity (signatures, expiration date, uses), the switch also checks the revocation status of each certificate in the chain using the Online Certificate Status Protocol (OCSP).
The following rules are enforced:
- The location of the OCSP server must be embedded in the certificate being verified. If missing, the certificate will not be trusted.
- If the OCSP server is not reachable, the certificate will not be trusted.
- If the OCSP server reports that the certificate has been revoked, the certificate will not be trusted.
- Every certificate in the chain will be revocation checked (except for the Root certificate, which is not revokable by definition).
- The OCSP response must be signed. The
switch supports all three OCSP trust models:
- Common Issuer: Certificate Authority (CA) that signs cert also signs OCSP response
- Trusted Responder Model (TRM): OCSP response signed by a self-signed certificate that is trusted by the switch for this purpose
- Delegated Trust Model (DTM): CA that signs cert issues the CA that signs OCSP response