Configure OCSP to perform real-time certificate revocation status checks
search cancel

Configure OCSP to perform real-time certificate revocation status checks


Article ID: 171148


Updated On:


ProxySG Software - SGOS SG-300 Symantec WebFilter (formerly Blue Coat WebFilter - BCWF) SG-600 Intelligence Services SG-510 SG-810 SG-9000 SG-900 SG-S500 SG-S400 Secure Web Gateway Virtual Appliance SG-S200 SWG VA-100


Because each CRL you store on the Edge SWG (ProxySG) appliance requires memory for storage, you should consider using OCSP if you find that you require a large number of CRLs. With OCSP, you do not need to store the CRLs locally on the appliance. Instead, the Edge SWG (ProxySG) appliance acts as an OCSP and queries a remote OCSP responder on the intranet or Internet each time it needs to verify a certificate. In addition, OCSP provides the most secure means of checking certificate revocation status because the checks are done in real time.


The OCSP responder sends one of the following certificate statuses back to the Edge SWG (ProxySG) (the OCSP client):

  • Good - The certificate is not revoked and valid at the time of the query.
  • Revoked - The certificate has been revoked either permanently or temporarily.
  • Unknown - The responder does not know the revocation status of the certificate.

The Edge SWG (ProxySG) can also cache OCSP responses and has the ability to respect, override or ignore the timestamp related to cache ability in the OCSP response.

For more details on how to use OCSP with the Edge SWG (ProxySG), refer to the SGOS Administration Guide.
To enable an OCSP revocation check, configure an OCSP responder profile:

  1. Select Configuration > SSL > OCSP.
  2. Click New to create a new OCSP responder. Create OCSP responder dialog displays.
  3. Configure the OCSP responder options:
    1. Enter a Name for the responder.
    2. URL - Indicates the location of the OCSP responder. The Edge SWG (ProxySG) needs this URL to locate the responder. This location can be obtained from the certificate's Authority Information Access (AIA) extension or from a user-defined configuration. The default is to use the URL from the certificate.
      • Use URL from certificate - Select this option if you want the Edge SWG (ProxySG) to look up the OCSP server location from the subject certificate's AIA extension.
      • Use URL - Select this option if you know the location of the designated OCSP responder. Enter a specific responder HTTP or HTTPS URL.
  4. Issuer CCL - This option is used to decide which responders to contact for a given client or server certificate. Typically, each certificate issuer uses a designated OCSP responder for all the certificates it issues. The issuer CCL attribute allows the administrator to specify the certificate authorities (issuers) for which the responder in question is the designated responder. This means that when a certificate is signed by one of the CAs in this CCL, the OCSP query for that certificate will be sent to this responder. From the drop-down list, select a CA Certificate List (CCL) that contains the CA certificate names for which this is the designated responder. Each CA may only appear in one responder's Issuer CCL. The default is None. Thus, for a given certificate, this CCL is used to determine which responder to use when doing an OCSP check.
  5. Response CCL - This attribute is used during verification of OCSP responses. From the drop-down list, select the CCL list you want to use. The default value is browser-trusted.
  6. Device Profile - This attribute is used when the responder URL is an HTTPS URL. From the drop-down list, select the device profile you want to use when connecting to the OCSP server via SSL. All existing profiles on the Edge SWG (ProxySG) appear. The device profile is a unique set of SSL ciphers suites, protocols, and keyrings. When the responder URL is HTTPS the Edge SWG (ProxySG) makes the HTTPS connection with this responder using its device profile. If the URL is HTTP the device profile is not used. The default value for the device profile attribute is default.
  7. Response Cache TTL - This option indicates how many days an OCSP response is cached on the Edge SWG (ProxySG). The default is to use TTL from OCSP response.
    • Use the TTL from OCSP response - Select this option to use the value of next Update timestamp (see section 2.2 of RFC 2560) in the OCSP response. If this timestamp is not set or is in the past, the OCSP response is not cached on the Edge SWG (ProxySG). The Edge SWG (ProxySG) permits a clock skew of up to five minutes with the responder's clock when validating the next Update timestamp.
    • Use the TTL - Enter the length of time (in days) you want the OCSP response to be cached regardless of next Update timestamp in the OCSP response. If TTL is set to 0, the response is not cached.
  8.  Enable forwarding - This option specifies that OCSP requests are to be sent through a forwarding host, if configured. The default is to have forwarding enabled. Based on whether the responder URL is HTTP or HTTPS the usual forwarding rules apply.
  9. Configure the extensions options:
    1. Enable nonce - To avoid replay attacks, click Enable nonce. A nonce is a random sequence of 20 bytes places in an OCSP response. The default is to disable the use of a nonce.
    2. Request signing keyring - This keyring is used when an OCSP request is required to be signed. In this case, the Edge SWG (ProxySG) includes the certificate chain (minus the root CA) that is associated with this keyring to help the OCSP responder verify the signature. When a valid keyring is selected then OCSP request signing is enabled. When None is selected no request signing occurs.
  10. Configure the following Ignore Settings:
    • Ignore request failures - This setting ignores various connection errors. By default, connection errors are not ignored. The following failures are ignored by this setting:
      • The responder's URL is set to from-certificate and the URL in the certificate's AIA extension is neither HTTP or HTTPS, or is not a valid URL. The TCP layer fails to connect with the responder. The responder URL is HTTPS and the initial SSL connection fails with the responder. The TCP connection times out while reading the response from the responder. The TCP connection fails for any reason not already listed.
      • The responder URL is HTTPS and a hostname mismatch error occurs on the responder's certificate.
      • The responder URL is HTTPS and an error occurs while analyzing the response. Any other error not caught is covered by the following ignore settings.
      • The OCSP responder returns an error message that is described in section 2.3 of RFC 2560. For instance, when an OCSP query is sent to a responder that is not authorized to return an OCSP status for that certificate, the responder returns and unauthorized error, that appears as Responder error (unauthorized) in event-log of the Edge SWG (ProxySG). Enabling this setting causes this error to be ignored as well as other errors described in the RFC.
      • The OCSP responder returns a response that is not a basic OCSP response (see section 4.2.1 of RFC 2560).
    • Ignore expired responder certificate - This setting ignores invalid dates in the responder certificate. By default, invalid responder certificate dates cause the subject certificate verification to fail.
    • Ignore untrusted responder certificate - This setting ignores the response validation error that occurs when the responder's certificate cannot be trusted. By default, any untrusted certificate failure is an error and causes subject certificate verification to fail.
    • Ignore OCSP signing purpose check - This setting ignores errors related to the OCSP signing delegation and applies only to Scenarios B and C. (Refer to "Basic OCSP Setup Scenarios" in the SGOS Administration Guide.)The errors might occur in one of two ways:
      • Scenario B - The response signer certificate is not delegated for the OCSP signing. The event log records this error as missing OCSP signing usage.
      • Scenario C - The root CA does not have the trust setting enabled for the OCSP Signing. The event log records this error as root CA not trusted.
      • Either of these errors may be ignored by enabling this setting.
    • Ignore unknown revocation status - Select this setting to ignore unknown revocation status as an error. By default, unknown status is an error and causes subject certificate verification to fail.
  11. Click OK.

Click Apply.