DellPowerConnect W- Series ArubaOS 6.2 | User Guide CertificateRevocation |228
Chapte r 16

Certificate Revoc ation

The Certificate Revocation feature enables the ArubaOS controller to perform real-timecerti ficate revocation
checks usingt heOnline Certificate Status P rotocol (OCSP) or traditional certificate validation using the Certificate
Revocation List (CRL) client.
Topics in this chapter include:
l"UnderstandingOCSP and CRL" on page 228
l"Configuringthe Controller as a CRL Client" on page 23 0
l"Configuringthe Controller as an OCSP Responder " on page 231
l"Configuringthe Controller as an OCSP Client" on page 229

Understanding OCSP a nd CRL

OCSP (RFC 2560) is a standardprotocol that consists of an OCSP client andan OCSP responder. This protocol
determinesrevocati on status of a given digital public-key certificate wi thout having to download the entire CRL.
CRL is the traditional method of checking certificate validity. A CRL provides a list of certificate serial numbers
that have beenrevoked or are no longer valid. CRLs let the verifierc heckthe revocatio nst atus of the presented
certificate while verifying it. CRLs are limited to 51 2 entries.

Configuring a C ontroller as OCS P and CRL C lients

The ArubaOS controller canact as an OCSP client and issues OCSPqueries to remote OCSP responderslocated on
the intranet or Internet.As many applications in ArubaOS(s uchas I KE), use digital certificates, a protocol such as
OCSP needs to be implemented for revocation.
An entity that relies on the content of a certificate (a relying party) needs to do the checking beforeaccepting the
certificate as being valid. Onecheck verifies that the certificate has not been revoked. The OCSP client retrieves
certificate revocation status from an OCSP responder. The responder may be the CA (Certificate Authority) that
has issued the certificate in question or it may be some other designated entity which provides the service on behalf
of the CA. A
revocation checkpoint
is a logical profilethat is t ied to each CA certificate that the controllerhas
(trusted or intermediate). Also, the user can specify revocation preferences within each profile.
The OCSPrequest is not signed by the DellOCSP client at this time. However, theOCSP response is always signed
by the responder.
Both OCSP and CRL configuration and administration is usually performedby the administrator who manages the
web access policy for an organization.
In smallnetwo rkswhere there are is no I nternetco nnection or connection to an OCSP responder, CRL is better
option than OCSP.

Configuring an OCS P Controller as a Resp onder

The ArubaOS controller can beco nfiguredto act as an OCSP responder(server) and respond to OCSP queriesfrom
clients that are trying to obtain revocation st atus of certificates.