Danni-Tech

Making the Complicated Simple

Security Plus PKI - CRL/OCSP

  • Key Points from This Video on CRLs and OCSP:

  • Certificate Revocation List (CRL):

    • What is a CRL?

      • A Certificate Revocation List (CRL) is a list of revoked certificates maintained by a Certificate Authority (CA).
      • Revoked certificates on the CRL are no longer considered valid.

    • Why is a Certificate Revoked?

      • Common reasons for revocation include:
        1. Key compromise (e.g., if a private key is stolen).
        2. CA compromise (the Certificate Authority itself is compromised).
        3. Cessation of operations (the organization no longer needs the certificate).

    • Example (Key Compromise):

      • A rogue server obtains a compromised private key and can impersonate a legitimate website like bluekeys.com.
      • Solution: The legitimate site revokes the compromised certificate, generates a new key pair, and requests a new certificate.

    • How a Client Validates a Certificate Using a CRL:

      1. Requesting the Certificate: The client requests the certificate from the server, which sends its certificate and any intermediate certificates.
      2. Certificate Revocation Check: The client downloads the CRL from the CA and checks if the server’s certificate serial number is on the list.
      3. CRL Caching: To improve efficiency, clients cache the CRL after the first download to speed up future validation.

    • Challenges with CRLs:

      • Size and Processing: Large CRLs can slow down the validation process.
      • Update Frequency: CRLs aren’t updated in real-time (typically updated every 5–14 days), leading to potential delays in reflecting revoked certificates.

 

  • Online Certificate Status Protocol (OCSP):

    • What is OCSP?

      • A real-time method for checking the revocation status of a certificate.
      • More efficient than CRLs because it provides instant feedback on a certificate’s status.

    • How OCSP Works:

      1. The client requests the certificate from the server.
      2. The client sends an OCSP request (with the certificate’s serial number) to the CA’s OCSP responder.
      3. The OCSP responder returns one of three statuses:
        • “Good” – The certificate is valid.
        • “Revoked” – The certificate is no longer valid.
        • “Unknown” – The certificate isn’t recognized by the CA and could be suspicious.

    • Advantages of OCSP Over CRLs:

      • Real-Time Updates: Clients receive immediate information if a certificate has been revoked.
      • No Need for Large Lists: OCSP checks the status of a specific certificate without searching through a lengthy list.

  • OCSP Stapling:

    • What is OCSP Stapling?

      • A method to reduce the traffic load on the CA caused by individual client requests.
      • The server periodically requests its own certificate status from the CA.
      • The CA responds with a timestamped, digitally signed status, which the server caches.

    • How OCSP Stapling Works:

      1. The server obtains the OCSP response from the CA.
      2. The server “staples” the OCSP response to its certificate.
      3. When the client connects, it receives both the certificate and the stapled OCSP response directly from the server, eliminating the need to contact the CA.

    • Benefits of OCSP Stapling:

      • Reduces real-time OCSP traffic to the CA.
      • Faster certificate validation for clients.
      • Improves efficiency and performance without compromising security.
 

    Key Takeaways for the Security+ Exam:

    1. CRL: A list of revoked certificates maintained by the CA.
    2. OCSP: A real-time protocol to check the revocation status of a certificate.
    3. OCSP Stapling: A method to improve efficiency by allowing servers to handle OCSP responses.
    4. Revocation Reasons: Key compromise, CA compromise, or cessation of operations.
    5. Validation Process: Understand how clients validate certificates using both CRLs and OCSP.