Certificate Revocation

ESF Http Service and SSL Manager Service can be configured to check the revocation status of client/server certificates using the following methods:

  • OCSP: The revocation check is performed using the OCSP protocol. The OCSP responder URL must be encoded using the corresponding extension in the certificate to be verified.
  • CRLDP: The revocation check is performed by downloading a CRL list from the distribution points URLs encoded using the corresponding extension in the certificate to be verified.
  • Cached CRL lists: ESF also supports managing a local CRL cache that is considered along with OCSP and CRLDP. See below for more details.

These Http Service and SSL Manager Service provide the following configuration options related to certificate revocation check:

  • Revocation Check Enabled: Allows to enable/disable the revocation check.

  • Revocation Check Mode:

    • Prefer OCSP: The verification check will be performed using OCSP, and if this fails, using CRLs.
    • Prefer CRL: The verification check will be performed using CRLs, and if this fails, using OCSP.
    • CRL Only: The verification check will be performed only using CRLs.

    During CRL check, both CRLDP and the CRLs cached using ESF are considered.

  • Revocation Soft-Fail Enabled: If this is set to false and the gateway is not able to verify the revocation status of a certificate due to a network error (for example because the OCSP server or the CRL distribution points are not reachable), the certificate will be rejected.

 CRL Cache

ESF KeyStore service allows to maintain a local cache by periodically downloading and storing CRLs from a configurable set of HTTP URLs.

This service provides the following CRL related options:

The Enabled: Allows to enable or disable CRL caching for the specified keystore

The CRL URLs: Allows to specify a set of HTTP URLs to download CRLs from. Apart from these URLs, the KeyStore Service will also download the CRLs specified as distribution points by the certificates in the keystore. LDAP distribution points are not supported.

The service attempts to download a CRL from a distribution point at most every CRL Check Interval, in the following cases:

  • After the Keystore Service starts or when its configuration has been modified
  • If no CRL has been downloaded yet from the distribution point.
  • If the nextUpdate field of the CRL is set and is in the past.
  • The last successful download attempt since FilesystemKeystoreService activation or update is in greater than the value specified by the CRL Force Update Interval.

If the Enable CRL Verification parameter is set to true, then the service will check whether the downloaded CRLs are signed by a trusted certificate contained in the managed keystore. If this condition is not satisfied, the CRL will be discarded.