12-05-2013 09:14 AM
We got our OCSP url basically presented as a VIP on a pair of netscalers, and two issuing CAs sitting under a common root CA.
When an OCSP call comes in the netscaler does its job and load balances between the two, forwards the query and response back - so the actual server that gets queried can vary depending on the source IP (that's the hash I used) for loadbalancing.
Thing is when IssuingCA1 revokes a cert - apparently I need to syncronise the serial numbers to it's buddy (Issuing CA2) in order for the ocsp call be be - if you like - made to make the actual non-issuing CA aware that that cert is actually revoked. This makes sense.
I was kind of attracted to oscp as I dont have to download a bigger and bigger crl cert (I know this is automated on clearpass, awsome product I know), and its instant. Now I am told a schedule task will be run every hour to update the crl, which will pass on the serial numbers to both issuing CAs so they can respond correctly to an ocsp call.
So now I am left with a problem - do I try and match the session timeout with a value that corresponds to the probable length of time the isssuing CAs can work out and agree a cert has been revoked?
I mean, you'll only fail authentication when you re-attempt it right? I mean, presumably session timeout or roaming events will trigger this - but as crazy as it sounds I think most of the users stay put even though they are on wifi.
Anyone considered this? If you have managed to read down this far, thank you! And I'd be interested in your experience and feedback - many thanks.
12-06-2013 06:52 AM
I have a response for you:
From what you have described, probably you can set a session timeout of 1 hour – or a little over than 1 hr. This means clients will have to authenticate every 1 hour even if they stay put. Revocation scenario will work as follows
- CA1 revokes the cert.
- Client connects, say OSCP goes to CA2 and passes ok – since CA2 is not aware of the revocation status yet. Client gets connected with session timeout of 1 hr.
- Within the next hour, CA2 gets updated with the revocation status.
- Client reconnects after one hour, OSCP goes to CA2 and gets rejected.
So clients will have a max grace period of 1 hour after revocation which should be acceptable given the CAs take one hour to sync between them.
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos