OCSP and CRL Check Behavior on NetScaler
Article ID: CTX138304
Updated On:
Description
This article contains information about the NetScaler behavior after configuring both Online Certificate Status Protocol (OCSP) check and Certificate Revocation List (CRL) check at the SSL virtual server level.
Requirements
You need to know how to configure OSCP and CRL check. Refer to the following links for more information on OCSP and CRL check configuration:
-
Citrix Documentation - Configuring an OCSP Responder
-
Citrix Documentation- Managing Certificate Revocation Lists
Behavior of OCSP and CRL Check Configuration
The following list describes how the OCSP and CRL check configuration functions:
-
If OCSPcheck parameter is set as mandatory, CRLcheck parameter will not be effective even if it is optionally enabled internally.
-
If CRL check is mandatory, then CRL check will be effective even if OCSP is configured.
-
Both OCSP and CRL check cannot be set as mandatory.
Set OCSP and CRL Check as Optional
Run the following command to configure OCSP or CRL check parameters as optional:
set ssl vserver vs1 –clientcert mandatory –clientauth enabled
bind ssl vserver vs1 -certkeyName ca_cert -CA -ocspCheck Optional
OR
bind ssl vserver vs1 -certkeyName ca_cert -CA -crlCheck Optional
Note: You can only use either ocspcheck or crlcheck parameter at any one point. Enabling both parameter is not supported.
The following list provides the sequence of action that occur when OCSP and CRL check is set as optional:
-
If OCSP responder is available and certificate is revoked, then the handshake fails.
-
If OCSP responder is available and certificate is current, then the handshake succeeds.
-
If OCSP responder is not configured, then it applies CRL check.
-
If CRL is available and certificate is revoked, then the handshake fails.
-
If CRL is available and certificate is current, then the handshake succeeds.
-
Handshake fails if CRL is available but succeeds when CRL is missing and CRL check is set as optional. Handshake can only fail if CRL is missing and CRL check is set as mandatory.
The following table illustrates the result of a handshake with a client when using a revoked certificate:
|
Rule for CRL Check |
Rule for Client Certificate Check |
State of the CRL Configured for CA Certificate |
Result of a Handshake with a Revoked Certificate |
|
Optional |
Optional |
Missing |
Success |
|
Optional |
Mandatory |
Missing |
Success |
|
Optional |
Mandatory |
Present |
Failure |
|
Mandatory |
Optional |
Missing |
Success |
|
Mandatory |
Mandatory |
Missing |
Failure |
|
Mandatory |
Optional |
Present |
Success |
|
Mandatory |
Mandatory |
Present |
Failure |
|
Optional/Mandatory |
Optional |
Expired |
Success |
|
Optional/Mandatory |
Mandatory |
Expired |
Failure |
Issue/Introduction
