Revocation Checking of Server Certificates via OCSP

In addition to checking the server certificate‘s validity (signatures, expiration date, uses), the switch also checks the revocation status of each certificate in the chain using the Online Certificate Status Protocol (OCSP).

The following rules are enforced:

The location of the OCSP server must be embedded in the certificate being verified. If missing, the certificate will not be trusted.
If the OCSP server is not reachable, the certificate will not be trusted.
If the OCSP server reports that the certificate has been revoked, the certificate will not be trusted.
Every certificate in the chain will be revocation checked (except for the Root certificate, which is not revokable by definition).
The OCSP response must be signed. The switch supports all three OCSP trust models:
- Common Issuer: Certificate Authority (CA) that signs cert also signs OCSP response
- Trusted Responder Model (TRM): OCSP response signed by a self-signed certificate that is trusted by the switch for this purpose
- Delegated Trust Model (DTM): CA that signs cert issues the CA that signs OCSP response

Switching

Routing

Wireless

Management & Automation

Analytics & Visibility

Security & Access Control

Remote

Cloud

Security

Machine Learning

Campus Fabric

Data Center Fabric

Internet of Things

Wi-Fi 6

Primary & Secondary Education (K-12)

Retail

Service Providers

Federal Government

Manufacturing

Higher Education

Healthcare

Hospitality

State & Local Government

Sports & Public Venues

Support Portal

Knowledge Base

Documentation

End of Sale

Policies & Warranties

Training & Courses

Maintenance Services

Premier Services

Professional Services

Managed Services

Revocation Checking of Server Certificates via OCSP