Certificate revocation using OCSP or OCSP stapling in zero touch certificate management
The certificate revocation using OCSP or OCSP Stapling in zero touch certificate management feature introduces automatic creation and management of OCSP responders for certificates handled through the zero touch certificate management workflow.
OCSP validation in zero touch management only works if the certificate includes an OCSP URL in the Authority Information Access (AIA) extension. Since external or Command Line Interface (CLI) OCSP responder configurations are unavailable for zero touch certificates, OCSP revocation check cannot be performed when the AIA field is missing.
This feature automates the creation and binding of an OCSP responder using the OCSP URL embedded within the certificate itself. This validation capability applies to certificates:
-
Pulled from the Console Cert Repository into NetScaler.
-
Received by NetScaler from a peer during the SSL/TLS handshake process.
The system automatically creates and manages OCSP responders based on the method by which NetScaler receives the certificate, provided the certificate contains the OCSP field in the AIA extension.
| Certificate Source | Action Upon Certificate Receipt | Responder Lifespan or Management |
|---|---|---|
| Pulled from Console Cert Repository | An OCSP responder is created using the OCSP URL from the certificate and is immediately bound to that certificate. | The OCSP responder persists in NetScaler as long as the certificate exists. |
| From a Peer During SSL Handshake | An OCSP responder is created using the OCSP URL from the certificate and is immediately bound to that certificate. | The OCSP responder is deleted after 15 minutes if it remains unused. |
This feature ensures automation of all manual configurations that was previously required for certificate revocation. By binding the OCSP responder directly from the certificate’s embedded OCSP URL, it:
-
Eliminates dependencies on other certificates.
-
Ensures that all certificate types (server, client, and CA) have their necessary OCSP responder bindings for automated revocation checks.
Global zero touch OCSP parameter configuration
Default values for Zero Touch OCSP settings are provided automatically and can be viewed with the show zerotouch command. These global settings are used to validate the received OCSP response.
| Parameter | Description |
|---|---|
| -ocspCacheTimeout |
Minimum: 1 Maximum: 43200
Default: 1 Unit: Minutes Units: Minutes |
| -ocspHttpMethod
|
Possible Values: POST or GET
Default: POST |
| -ocspTrustResponder
|
Possible Values: YES or NO
Default: NO |
| -ocspUseNonce
|
Possible Values: ENABLED or DISABLED
Default: ENABLED |
| -ocspResptimeout
|
Minimum: 100 Maximum: 120000
Default: 2000 Units: Milliseconds |
| -ocspbatchingDelay |
Minimum: 1 Maximum: 10000
Default: 100 Units: Milliseconds |
| -ocspbatchingDepth |
Minimum: 1 Maximum: 8 Default: 1
Default: 1 |
| -ocspUrlResolveTimeout |
Minimum: 100 Maximum: 2000 Default: 100 Units: Milliseconds.
Default: 100 Units: Milliseconds |
| -ocspProducedAtTimeSkew |
Maximum: 86400
Default: 300 Units: Seconds |
Example modification (if necessary)
set ssl zerotouchparam -ocspCacheTimeout 1 -ocspBatchingDepth 1 -ocspBatchingDelay 100 -ocspResptimeout 4000 -ocspUrlResolveTimeout 1000 -ocspProducedAtTimeSkew 300 -ocspUseNonce ENABLED -ocspTrustResponder YES -ocspHttpMethod POST
<!--NeedCopy-->
SSL policy support for Per-virtual server or service control
SSL policies can be used to control OCSP revocation checks at a granular level (for each virtual server or service)
Front-end SSL handshake (client-Side)
OCSP stapling
Used to send the OCSP response as a certificate status handshake message to the SSL client.
The option to cache OCSP responses is provided at the policy level, enabling each virtual server or service to decide whether to cache OCSP responses. Cached responses are reused later, eliminating the need to send OCSP requests repeatedly.
Operational flow:
-
When a ClientHello message includes the status_request extension, the server parses this extension.
-
If ocspStapling is ENABLED through policy binding:
-
If the cache is ENABLED and a valid cache entry is available in NetScaler, the cached OCSP response is used and sent to the client.
-
If a cache entry is not available, an OCSP request is sent using the OCSP responder created from the SSL server certificate. The SSL handshake is put on hold until the request timeout.
-
-
The received OCSP response is validated using the global OCSP settings from
zerotouchparam. -
The OCSP response is then cached if CACHE ENABLE is set in the SSL action of the SSL policy.
Note:
OCSP stapling is available in the profile and can be used to enable the feature. However, if OCSP Stapling is enabled in both the profile and a policy, the policy settings takes precedence.
| Parameter | Description |
|---|---|
| ocspStapling | ENABLED or DISABLED |
| ocspCache | ENABLED or DISABLED (Default: DISABLED) |
Example configuration:
add ssl action ocsp_stapling_action -ocspStapling ENABLED -cache ENABLED
add ssl policy ocsp_stapling_policy -rule TRUE -action ocsp_stapling_action
bind ssl vserver vs192 -policyName ocsp_stapling_policy -priority 10 -type CLIENTHELLO_REQ
<!--NeedCopy-->
Client certificate authentication OCSP validation
Used to validate the revocation status of a client certificate received during the handshake.
| Parameter | Description |
|---|---|
| ocspCertValidation
|
Possible Values: Disable, Optional and Mandatory
Default: DISABLED |
| ocspCache
|
Possible Values: Disable or Enabled
Default: DISABLED |
Note:
When the SSL action uses the
ocspStaplingorocspCertValidationattributes, only the TRUE expression is supported.
Example configuration (client auth):
add ssl action ocsp_peercert_action -ocspCertValidation MANDATORY -ocspCache ENABLED
add ssl policy ocsp_peercert_policy -rule TRUE -action ocsp_peercert_action
bind ssl vserver vs74 -policyName ocsp_peercert_policy -priority 10 -type CLIENT_AUTH_VAL
<!--NeedCopy-->
Backend SSL handshake (server-side)
Used to validate the revocation status of the server certificate received from the backend SSL server.
| Parameter | Description |
|---|---|
| ocspCertValidation
|
Possible Values: Disabled, Optional, and Mandatory
Default: DISABLED |
| ocspCache
|
Possible Values: Disabled or Enabled
Default: DISABLED |
Example configuration:
add ssl action ocsp_peercert_action -ocspCertValidation MANDATORY -ocspCache ENABLED
add ssl policy ocsp_peercert_policy -rule TRUE -action ocsp_peercert_action
bind ssl vserver vs74 -policyName ocsp_peercert_policy -priority 10 -type SERVER_AUTH_VAL
<!--NeedCopy-->
Notes:
- When the SSL action uses the
ocspStaplingorocspCertValidationattributes, only the TRUE expression is supported.- Policy support feature is supported to both Zero Touch and non-Zero Touch Certificates. For non-Zero Touch Certificates, policy binding takes precedence over SSL Profile settings.
Limitations
OCSP responder creation limits:
The number of automatically created OCSP responders is subject to system-wide limits to ensure stability and resource management.
| Certificate Source | Limit | Behavior When Limit is Reached |
|---|---|---|
| Certificates from Console | 4096 | Certificate creation succeeds, but no permanent OCSP responder is created. If OCSP stapling is configured on the VIP, a responder is created temporarily during the SSL handshake to fetch the status, and then deleted immediately after serving the response to maintain the limit. |
| Certificates from SSL Peer During Handshake | 1024 | A responder is created to perform the revocation check. After the handshake, the responder is added to the cache only if an existing entry can be evicted from the Least Recently Used (LRU) list. If eviction is not possible, the new OCSP responder is immediately deleted. |