Cisco Cisco Packet Data Interworking Function (PDIF)
IPSec Certificates
▀ Online Certificate Status Protocol (OCSP)
▄ IPSec Reference, StarOS Release 16
122
Online Certificate Status Protocol (OCSP)
Overview
Certificates are used to establish peer identity. A certificate is issued by a trusted CA for a limited period. The validity
period is an integral part of the signed certificate. Gateways exchanging certificates for establishing identity and trust
check the certificate validity during the transaction. A certificate can be revoked at any instance of time (Well before the
expiry of the certificate validity period). It is therefore very important to know the status of a certificate.
period is an integral part of the signed certificate. Gateways exchanging certificates for establishing identity and trust
check the certificate validity during the transaction. A certificate can be revoked at any instance of time (Well before the
expiry of the certificate validity period). It is therefore very important to know the status of a certificate.
Online Certificate Status Protocol (OCSP) provides facility to obtain timely information on the status of a certificate
(RFC 2560). OCSP messages are exchanged between a gateway and an OCSP responder during a certificate transaction.
The responder immediately provides the current status of the presented certificate. The status can be good, revoked or
unknown. The gateway can then proceed based on the response.
(RFC 2560). OCSP messages are exchanged between a gateway and an OCSP responder during a certificate transaction.
The responder immediately provides the current status of the presented certificate. The status can be good, revoked or
unknown. The gateway can then proceed based on the response.
Deployment Scenarios
OCSP responders may be part of the CA/RA server or can be a separate entity authorized by the CA. The security
gateway requires connectivity to this responder for status information.
gateway requires connectivity to this responder for status information.
Figure 21. Call Flow: IKE Exchange
When the remote gateway presents a certificate, the security gateway forwards this certificate to the OCSP responder
and queries it for the revocation status. The OCSP responder replies with the corresponding status information.
and queries it for the revocation status. The OCSP responder replies with the corresponding status information.