VPN > Advanced
584
SonicOS Enhanced 4.0 Administrator Guide
Online Certificate Status Protocol determines the current status of a digital certificate without
using a CRL. OCSP enables the client or application to directly determine the status of an
identified digital certificate. This provides more timely information about the certificate than is
possible with CRLs. In addition, each client typically only checks a few certificates and does not
incur the overhead of downloading an entire CRL for only a few entries. This greatly reduces
the network traffic associated with certificate validation.
OCSP transports messages over HTTP for maximum compatibility with existing networks. This
requires careful configuration of any caching servers in the network to avoid receiving a cached
copy of an OCSP response that might be out of date.
The OCSP client communicates with an OCSP responder. The OCSP responder can be a CA
server or another server that communicates with the CA server to determine the certificate
status. The OCSP client issues a status request to an OCSP responder and suspends the
acceptance of the certificate until the responder provides a response. The client request
includes data such as protocol version, service request, target certificate identification and
optional extensions. These optional extensions may or may not be acknowledged by the OCSP
responder.
The OCSP responder receives the request from the client and checks that the message is
properly formed and if the responder is able to respond to the service request. Then it checks
if the request contains the correct information needed for the service desired. If all conditions
are satisfied, the responder returns a definitive response to the OCSP client. The OCSP
responder is required to provide a basic response of GOOD, REVOKED, or UNKNOWN. If both
the OCSP client and responder support the optional extensions, other responses are possible.
The GOOD state is the desired response as it indicates the certificate has not been revoked.
The REVOKED state indicates that the certificate has been revoked. The UNKNOWN state
indicates the responder does not have information about the certificate in question.
OCSP servers typically work with a CA server in push or pull setup. The CA server can be
configured to push a CRL list (revocation list) to the OCSP server. Additionally the OCSP server
can be configured to periodically download (pull) the CRL from the CA server. The OCSP server
must also be configured with an OCSP response signing certificate issued by the CA server.
The signing certificate must be properly formatted or the OCSP client will not accept the
response from the OSCP server.
OpenCA OCSP Responder
Using OCSP requires the OpenCA (OpenSource Certificate Authority) OpenCA OCSP
Responder as it is the only supported OCSP responder. OpenCA OCSP Responder is available
at http://www.openca.org/ocspd/. The OpenCA OCSP Responder is an rfc2560 compliant
OCSP responder that runs on a default port of 2560 in homage to being based on rfc2560.
Loading Certificates to use with OCSP
For SonicOS to act as an OCSP client to a responder, the CA certificate must be loaded onto
the SonicWALL.
Step 1 On the System -> Certificates page, click on the Import button. This will bring up the Import
Certificate page.
Step 2 Select the Import a CA certificate from a PKCS#7 (.p7b), PEM (.pem) or DER (.der or .cer)
encoded file option and specify the location of the certificate.