OCSP Response Stapling

The OCSP Response Stapling feature allows you to check the validity of a peer's user or device credentials contained in a digital certificate using Online Certificate Status Protocol (OCSP).

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About OCSP Response Stapling

Overview of OCSP Response Stapling

Online Certificate Status Protocol (OCSP) is a method to check certificate revocation when a peer has to retrieve this revocation information and then validate it to check the certificate revocation status. In this method, the certification revocation status is limited by the peer's ability to reach an OCSP responder through the cloud or by the certificate sender's performance in retrieving the certificate revocation-information.

OCSP response stapling supports a new method to fetch the OCSP response for a device’s own certificates. This feature allows the device to obtain its own certificate revocation information by contacting the OCSP server and then sending this result along with its certificates directly to the peer. As a result, the peer does not require to contact the OCSP responder.

How to Configure OCSP Response Stapling

Configuring PKI Client to Request EKU Attribute

Perform this task to configure OCSP (Online Certificate Status Protocol) response stapling.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    crypto pki trustpoint name

    4.    ocsp url url

    5.    eku request attribute

    6.    match eku attribute

    7.    revocation-check method1 [method2 [method3]]

    8.    exit

    9.    exit

    10.    show cry pki counters


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example: 
    Device> enable
          		Enables privileged EXEC mode.

    1. Enter your password if prompted.

     
    Step 2 configure terminal


    Example: 
    Device# configure terminal
          		Enters global configuration mode.  
    Step 3 crypto pki trustpoint name


    Example: 
    Device(config)# crypto pki trustpoint msca
          		Declares the trustpoint and a given name and enters ca-trustpoint configuration mode.  
    Step 4ocsp url url


    Example: 
    Device(ca-trustpoint)# ocsp url http://ocsp-server


    Example: 
    Device(ca-trustpoint)# ocsp url http://10.10.10.1:80


    Example: 
    Device(ca-trustpoint)# ocsp url http://[2001DB8:1:1::2]:80
          		The url argument specifies the URL of an OCSP server so that the trustpoint can check the certificate status. This URL overrides the URL of the OCSP server (if one exists) in the Authority Info Access (AIA) extension of the certificate. All certificates associated with a configured trustpoint are checked by the OCSP server. The URL can be a hostname, IPv4 address, or an IPv6 address.
    Note   

    Make sure that the OCSP request url is configured with the ocsp url url command and not with an http-proxy server.

     
    Step 5eku request attribute


    Example: 
    Device(ca-trustpoint)# eku request ssh-client
          		Requests to include specified eku attribute in the certificate. This request, when configured on the PKI client, will be sent to the CA server during enrollment.
    The attribute argument can be one of the following:

    • client-auth

    • code-signing

    • email-protection

    • ipsec-end-system

    • ipsec-tunnel

    • ipsec-user

    • ocsp-signing

    • server-auth

    • time-stamping

    • ssh-server

    • ssh-client

     
    Step 6match eku attribute


    Example: 
    Device(ca-trustpoint)# match eku client-auth
          		Allows PKI to validate a peer certificate only if the specified attribute is present in the certificate else validation fails.
    The attribute argument can be one of the following:

    • client-auth

    • code-signing

    • email-protection

    • ipsec-end-system

    • ipsec-tunnel

    • ipsec-user

    • ocsp-signing

    • server-auth

    • time-stamping

    • ssh-server

    • ssh-client

     
    Step 7revocation-check method1 [method2 [method3]]


    Example: 
    Device(ca-trustpoint)# revocation-check ocsp none
          		(Optional) Checks the revocation status of a certificate.

    • crl --Certificate checking is performed by a CRL. This is the default option.

    • none --Certificate checking is ignored.

    • ocsp --Certificate checking is performed by an OCSP server.

    If a second and third method are specified, each method will be used only if the previous method returns an error, such as a server being down.

     
    Step 8exit


    Example: 
    Device(ca-trustpoint)# exit
          		Exits ca-trustpoint configuration mode and returns to global configuration mode.  
    Step 9exit


    Example: 
    Device(config)# exit
          		Returns to privileged EXEC mode.  
    Step 10show cry pki counters


    Example: 
    Device# show cry pki counters
          		(Optional) Displays the PKI counters of the device.  

    Configuring PKI Server to Include EKU Attributes

    Perform this task to configure OCSP (Online Certificate Status Protocol) response stapling.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    ip http server

      4.    crypto pki server cs-label

      5.    eku request attribute

      6.    exit

      7.    exit

      8.    show crypto pki counters


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example: 
      Device> enable
       
      Enables privileged EXEC mode.

      1. Enter your password if prompted.

       
      Step 2 configure terminal


      Example: 
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 ip http server


      Example: 
      Device(config)# ip http server
       

      Enables the HTTP server on your system.

       
      Step 4 crypto pki server cs-label


      Example: 
      Device(config)# crypto pki server server-pki
       
      Defines a label for the certificate server and enters certificate server configuration mode.
      Note   

      If you manually generated an RSA key pair, the cs-label argument must match the name of the key pair.

       
      Step 5eku request attribute


      Example: 
      Device(cs-server)# eku request ssh-server
       

      Requests to include specified eku attribute in the certificate.

      The attribute argument can be one of the following:

      • client-auth

      • code-signing

      • email-protection

      • ipsec-end-system

      • ipsec-tunnel

      • ipsec-user

      • ocsp-signing

      • server-auth

      • time-stamping

      • ssh-server

      • ssh-client

       
      Step 6exit


      Example: 
      Device(cs-server)# exit
       

      Exits cs-server configuration mode and returns to global configuration mode.

       
      Step 7exit


      Example: 
      Device(config)# exit
       

      Returns to privileged EXEC mode.

       
      Step 8show crypto pki counters


      Example: 
      Device# show crypto pki counters
       

      (Optional) Displays the PKI counters of the device.

       

      The following is sample output from the show crypto pki counters. 

      Device# show crypto pki counters

PKI Sessions Started: 0
PKI Sessions Ended: 0
PKI Sessions Active: 0
Successful Validations: 0
Failed Validations: 0
Bypassed Validations: 0
Pending Validations: 0
CRLs checked: 0
CRL - fetch attempts: 0
CRL - failed attempts: 0
CRL - rejected busy fetching: 0
OCSP – fetch requests: 0
OCSP – received responses: 0
OCSP – failed attempts: 0
OCSP - staple requests: 0
AAA authorizations: 0

      Additional References for OCSP Response Stapling

      Related Documents

      Related Topic

      Document Title

      Cisco IOS commands

      Master Command List, All Releases

      Security commands

      Standards and RFCs

      Standard/RFC

      Title

      RFC 2560

      X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP

      RFC 4806

      Online Certificate Status Protocol (OCSP) Extensions to IKEv2

      RFC 5280

      Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

      RFC 6187

      X.509v3 Certificates for Secure Shell Authentication

      RFC 6066

      Transport Layer Security (TLS) Extensions: Extension Definitions

      MIBs

      MIB MIBs Link
       

      To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

      http:/​/​www.cisco.com/​go/​mibs

      Technical Assistance

      Description Link

      The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

      To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

      Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​support

      Feature Information for OCSP Response Stapling

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
      Table 1 Feature Information for OCSP Response Stapling

      Feature Name

      Releases

      Feature Information

      OCSP Response Stapling

      Cisco IOS XE Release 3.14S

      This feature allows you to check the validity of a peer’s user or device credentials contained in a digital certificate using Online Certificate Status Protocol (OCSP).