OCSP Stapling

The Online Certificate Status Protocol (OCSP) provides timely information regarding the revocation status of a certificate. The OCSP also enhances bandwidth management by removing the need for retrieving the revocation lists.

Volterra provides centralized support for OCSP by using a component in Volterra Global Controller (GC). The component requests the OCSP servers for the revocation status of the TLS certificate and sends the response to all edge sites and network sites and also enables local caching for it. The OCSP clients then requests the status and they obtain it from their nearest edge or network sites. Volterra also supports OCSP stapling and certificates with must-staple extension using the same mechanism.

The users need to obtain a CA-signed TLS certificate with OCSP must-staple extension and configure virtual host or the advertise policy with this certificate to enable OCSP stapling for their applications or services. For information on how to obtain the certificate and enable OCSP stapling, see Configuring OCSP Stapling guide.

OcspTopo
Figure: Volterra OCSP High-level View


OCSP Stapling

The OCSP stapling is supported generating a certificate from a Certificate Authority (CA) and use the CA in virtual host or advertise policy configuration.

OcspStaple
Figure: Volterra OCSP Staple Work Flow

The following is the sequence of events for OCSP stapling for TLS certificates:

  1. User obtains a CA-signed OCSP certificate and configures virtual host or advertise policy with the certificate and key.
  2. The Volterra GC component checks the certificate and determines the OCSP server.
  3. The GC component sends certificate status request (Get OSCP) to the OCSP servers and obtains the response.
  4. The GC component then sends the response for local caching and also to all RE sites and CE sites.
  5. The clients such as browsers send HTTPS requests and their nearest RE or CE returns the certificate.
  6. The clients accept the certificate.

OCSP Stapling with Must-Staple Extension

The must-staple extension enforces the clients to accept only certificates with the must-staple extension, enhancing security apart from reducing latency and improving bandwidth management.

To enable OCSP stapling with this extension, it is required to obtain a CA-signed TLS certificate with a OCSP must-staple extension and use it in the virtual host or advertise policy configuration.

OcspMustStaple
Figure: Volterra OCSP Must-Staple Work Flow

The following is the sequence of events for OCSP stapling for TLS certificates with must-staple extension:

  1. User obtains a CA-signed OCSP certificate with must-staple extension and configures virtual host or advertise policy with the certificate and key.
  2. The Volterra GC component checks the certificate and determines the OCSP server.
  3. The GC component sends certificate status request (Get OSCP) to the OCSP servers and obtains the response.
  4. The GC component then sends the response for local caching and also to all RE sites and CE sites.
  5. The clients such as browsers send HTTPS requests and their nearest RE or CE returns the certificate only if the response contains the must-staple extension.
  6. The clients accept the certificate.

Concepts


How-tos