Certificate Revocation Check

The implementation and usage of certificate revocation check is of central relevance in the SSH Tectia software PKI authentication configuration. There are two alternatives for certificate revocation checking: Online Certificate Status Protocol (OCSP) and certificate revocation list (CRL).

Online Certificate Status Protocol (OCSP) provides a real-time check, executed every time a certificate is validated, which ensures that a suspended or revoked certificate is detected immediately and its use is denied. While the OCSP requires a responder service that can be accessed every time a certificate is validated, it is a convenient mechanism for SSH Tectia environments, as typically all the required configuration information is provided in the certificate's Authority Info Access extension. In a CA hierarchy, the OCSP responder certificate has to be signed by the same CA as the certificate being validated.

A certificate revocation list (CRL) is a list of revoked certificates of the CA. It can be published after each revocation and/or at defined intervals (for example every 10 minutes). Each CRL has a validity period (often several hours or longer). The CRL validity period is often longer than the publication interval to ensure operational services in the event of failures in CRL publication. SSH Tectia Client and SSH Tectia ConnectSecure (and SSH Tectia Connector in 4.x) retrieve a new CRL each time they are invoked (in SSH Tectia version 6.x only when the Connection Broker service is invoked), and when the current CRL in the memory expires. SSH Tectia Server is typically stopped only for maintenance and can be configured to cache the CRL between invocations.

CRL Configuration and Publishing

CRLs can be published either via HTTP or to an LDAP (Lightweight Directory Access Protocol) directory. The CA can also publish the CRL via both HTTP and LDAP, to ensure higher availability, and include a CRL Distribution Point (DP) URL extension for both services in the certificates. SSH Tectia Client and Server will then attempt both methods and use the first valid CRL obtained.

The configuration of CRLs for the SSH Tectia software is not necessarily any more complicated than using OCSP, as the required configuration can be provided in the certificate's CRL DP URL extension as it is with the SSH Tectia Manager Internal CA by default. However, in large PKI environments, the applications are often configured to use different LDAP servers appropriate to the location, with the LDAP service providing replication. The SSH Tectia software will request the CRL from the LDAP server using the issuer name of the certificate being validated.

Large CRLs

A CRL can potentially become very large, when compared to an OCSP response (which covers only the certificate in question). On the other hand, the OCSP query needs to be done for each certificate individually, whereas the CRL check covers either all or several unexpired certificates issued by the CA (certificates associated with the same CRL DP).

There are some configuration options that help cope with large CRLs. For example, SSH Tectia Server can store the CRLs, along with any intermediate CA certificates, into a local cache file. It can also prefetch a CRL, to ensure it is available when the first user logs in with a certificate, and retrieve a new CRL before the old one expires to allow a grace time for network problems. The CRL prefetch is also useful if the publishing method of the CA is changed, but the user certificates are not renewed at the same time to contain the new CRL DP extension.

If a large CRL is combined with a short CRL validity period, or it is frequently published for another reason, the performance hit can affect the entire environment. The validity period of issued certificates is of key relevance, as the revoked certificate remains in the CRL until the certificate expires. (In some PKI setups a revoked certificate may remain in the CRL also after the certificate has expired, but this is a rare exception with authentication certificates.)

The SSH Tectia Manager Internal CA implements partitioned CRLs so that a CRL is associated with a limited number of certificates at any given time. If the number of unexpired certificates exceeds 1000, a new CRL DP is taken into use automatically. This ensures that the CRL size of a particular CRL DP remains reasonable regardless of the host certificate validity period, even if all certificates are revoked. Once an existing CRL DP becomes available again, it is automatically taken into use for new certificates the next time a new CRL DP is needed.