Certificate Revocation
Digital certificates have an expiration date, however, prior to expiration, a certificate may no longer be valid due to many reasons. You can manage certificate revocations and validations locally and by referencing a Certificate Authority (CA) certificate revocation list (CRL).
Understanding Online Certificate Status Protocol and Certificate Revocation Lists
OCSP is used to check the revocation status of X509 certificates. OCSP provides revocation status on certificates in real time and is useful in time-sensitive situations such as bank transactions and stock trades.
The revocation status of a certificate is checked by sending a request to an OCSP server that resides outside of an SRX Series Firewall. Based on the response from the server, the VPN connection is allowed or denied. OCSP responses are not cached on SRX Series Firewalls.
The OCSP server can be the certificate authority (CA) that issues a
certificate or a designated authorized responder. The location of the OCSP server can be
configured manually or extracted from the certificate that is being verified. Requests
are sent first to OCSP server locations that are manually configured in CA profiles with
the ocsp url
statement at the [edit security pki ca-profile
profile-name revocation-check
] hierarchy level; up
to two locations can be configured for each CA profile. If the first configured OCSP
server is not reachable, the request is sent to the second OCSP server. If the second
OCSP server is not reachable, the request is then sent to the location in the
certificate's AuthorityInfoAccess extension field. The use-ocsp
option
must also be configured, as certificate revocation list (CRL) is the
default checking method.
SRX Series Firewalls accept only signed OCSP responses from the CA or authorized responder. The response received is validated using trusted certificates. The response is validated as follows:
-
The CA certificate enrolled for the configured CA profile is used to validate the response.
-
The OCSP response might contain a certificate to validate the OCSP response. The received certificate must be signed by a CA certificate enrolled in the SRX Series Firewall. After the received certificate is validated by the CA certificate, it is used to validate the OCSP response.
The response from the OCSP server can be signed by different CAs. The following scenarios are supported:
-
The CA server that issues the end entity certificate for a device also signs the OCSP revocation status response. The SRX Series Firewall verifies the OCSP response signature using the CA certificate enrolled in the SRX Series Firewall. After the OCSP response is validated, the certificate revocation status is checked.
-
An authorized responder signs the OCSP revocation status response. The certificate for the authorized responder and the end entity certificate being verified must be issued by the same CA. The authorized responder is first verified using the CA certificate enrolled in the SRX Series Firewall. The OCSP response is validated using the responder’s CA certificate. The SRX Series Firewall then uses the OCSP response to check the revocation status of the end entity certificate.
-
There are different CA signers for the end entity certificate being verified and the OCSP response. The OCSP response is signed by a CA in the certificate chain for the end entity certificate being verified. (All peers participating in an IKE negotiation need to have at least one common trusted CA in their respective certificate chains.) The OCSP responder’s CA is verified using a CA in the certificate chain. After validating the responder CA certificate, the OCSP response is validated using the responder’s CA certificate.
To prevent replay attacks, a nonce payload can be sent in an OCSP request. Nonce payloads are sent by default unless it is explicitly disabled. If enabled, the SRX Series Firewall expects the OCSP response to contain a nonce payload, otherwise the revocation check fails. If OCSP responders are not capable of responding with a nonce payload, then the nonce payload must be disabled on the SRX Series Firewall.
In the normal course of business, certificates are revoked for various reasons. You might wish to revoke a certificate if you suspect that it has been compromised, for example, or when a certificate holder leaves the company.
You can manage certificate revocations and validations in two ways:
-
Locally— This is a limited solution.
-
By referencing a Certificate Authority (CA) certificate revocation list (CRL)— You can automatically access the CRL online at intervals you specify or at the default interval set by the CA.
In Phase 1 negotiations, SRX Series Firewall verifies the EE certificate received from the peer during an IKE exchange and uses the CRL to make sure the EE certificate is not revoked by its CA.
If a CRL is not loaded on the device and the peer certificate issuer is a trusted CA:
- Junos OS retrieves the CRL through the configured LDAP or HTTP CRL locations (that is, the CRL Distribution Points (CDP)), if they are defined in the CA profile.
- If the CRL Distribution Points is not configured in the CA profile, the device uses the CDP extension in a certificate issued by the CA (if present). The certificate issued by the CA can be a certificate enrolled by the administrator or received during the Phase 1 negotiation.
If the EE certificate is not issued by a root CA, the certificates of each intermediate CAs goes through the same verification and revocation check. The CRL of the root CA is used to check if the certificate issued by the root CA is revoked. If the CDP is not configured in the root CA profile, the device uses the CDP extension in the certificate issued by the CA (if present).
The CRL distribution point extension (.cdp) in an X509 certificate can be added to either an HTTP URL or an LDAP URL.
If the certificate does not contain a certificate distribution point extension, and you cannot automatically retrieve the CRL through Lightweight Directory Access Protocol (LDAP) or Hypertext Transfer Protocol (HTTP), you can retrieve a CRL manually and load that in the device.
Local certificates are being validated against certificate revocation list (CRL) even when CRL check is disabled. This can be stopped by disabling the CRL check through the Public Key Infrastructure (PKI) configuration. When CRL check is disabled, PKI will not validate local certificate against CRL.
Comparison of Online Certificate Status Protocol and Certificate Revocation List
Online Certificate Status Protocol (OCSP) and certificate revocation list (CRL) can both be used to check the revocation status of a certificate. There are advantages and disadvantages to each method.
-
OCSP provides certificate status in real time, while CRL uses cached data. For time-sensitive applications, OCSP is the preferred approach.
-
CRL checking is faster because lookup for certificate status is done on information cached on the VPN device. OCSP requires time to obtain the revocation status from an external server.
-
CRL requires additional memory to store the revocation list received from a CRL server. OCSP does not require additional memory to save the revocation status of certificates.
-
OCSP requires that the OCSP server be available at all times. CRL can use cached data to check the revocation status of certificates when the server is unreachable.
On MX Series and SRX Series Firewalls, CRL is the default method used to check the revocation status of a certificate.
See Also
Example: Manually Loading a CRL onto the Device
This example shows how to load a CRL manually onto the device.
Requirements
Before you begin:
Generate a public and private key pair. See Self-Signed Digital Certificates.
Generate a certificate request. See Example: Manually Generating a CSR for the Local Certificate and Sending It to the CA Server.
Configure a certificate authority (CA) profile. See Example: Configuring a CA Profile.
Load your certificate onto the device. See Example: Loading CA and Local Certificates Manually.
Overview
You can load a CRL manually, or you can have the device load it automatically, when you verify certificate validity. To load a CRL manually, you obtain the CRL from a CA and transfer it to the device (for example, using FTP).
In this example, you load a CRL certificate called revoke.crl
from the /var/tmp directory on the device. The CA profile is called ca-profile-ipsec
. (Maximum file size is 5 MB.)
If a CRL is already loaded into the ca-profile the command clear security pki crl ca-profile ca-profile-ipsec
must be
run first to clear the old CRL.
Configuration
Procedure
Step-by-Step Procedure
To load a CRL certificate manually:
Load a CRL certificate.
[edit] user@host> request security pki crl load ca-profile ca-profile-ipsec filename /var/tmp/revoke.crl
Junos OS supports loading of CA certificates in X509, PKCS #7, DER, or PEM formats.
Verification
To verify the configuration is working properly,
enter the show security pki crl
operational mode command.
Understanding Dynamic CRL Download and Checking
Digital certificates are issued for a set period of time and are invalid after the specified expiration date. A CA can revoke an issued certificate by listing it in a certificate revocation list (CRL). During peer certificate validation, the revocation status of a peer certificate is checked by downloading the CRL from a CA server to the local device.
To facilitate the CRL check for the certificates when a CA profile is not configured,
dynamic CA profile is created. A dynamic CA profile is automatically created on the
local device with the format dynamic-nnn
.
A dynamic CA profile:
- Allows the local device to download the Dynamic CA and Dynamic CRL (for corresponding CA) as per peer’s localcert issuer
- Checks the revocation status of the peer's certificate
A VPN device checks a peer's EE certificate for its revocation status. A VPN device uses the certificate received from its peer to do the following:
- Extract the URL to dynamically download the CA's CRL
- Check the revocation status of the peer's EE certificate
In Figure 1, Host-A can use the Sales-CA and EE certificates received from Host-B to dynamically download the CRL for Sales-CA and check the revocation status of Host-B’s certificate.
In case of single hierarchy CA servers or CA certificate chain, the local EE certificate and the received peer EE certificate are issued from the same CA server.
Following are some of the SRX Series Firewall behavior based on different configurations:
- If you have configured a SRX Series Firewall with a trusted-ca or trusted-ca-group, then the device does not validate or trust any other CAs.
- If you have defined a CA profile that has a chain of CAs where the SRX Series Firewall only trusts the root CA and peer has a certificate signed by a sub-CA to this root, then Dynamic CA and CRL will be added to the device.
Table 1 provides few sample scenarios where Dynamic CA or CRL is not created:
Scenario |
Condition |
---|---|
Sample scenario 1 |
In the CA profile, you have defined a trusted CA for ca-profile-name, and you receive a connection from a device that has a certificate signed by a different CA that was not defined as a trusted CA in your CA profile. |
Sample scenario 2 |
You have defined a CA profile that has a chain of CAs where the SRX Series Firewall only trust a sub-CA, and peer has a certificate signed by a level above this sub-CA. |
To enable dynamic CA profiles, you must configure the revocation-check
crl
option on a Root-CA profile at the [edit security pki
ca-profile profile-name
] hierarchy level.
The revocation check properties of a Root-CA profile are inherited for dynamic CA profiles. In Figure 1, the CA profile configuration on Host-A for Root-CA enables dynamic CA profiles as shown in the following output:
admin@host-A# show security pki { ca-profile Root-CA { ca-identity Root-CA; enrollment { url “www.example.net/scep/Root/”; } revocation-check { crl; } } }
A dynamic CA profile is created on Host-A for Sales-CA. Revocation checking is inherited for the Sales-CA dynamic CA profile from Root-CA.
If the revocation-check disable
statement is configured in a
Root-CA
profile, dynamic CA profiles are not created and dynamic CRL download and checking is
not performed.
The data for CRLs downloaded from dynamic CA profiles are displayed with the show
security pki crl
command in the same way as CRLs downloaded by configured
CA profiles. The CRL from a dynamic CA profile is updated periodically as are those for
CA profiles that are configured in the device. The peer CA certificate is also required
for signature validation of CRL downloaded from CA server.
The CA certificate is required to validate the CRL received from a CA server; therefore, the CA certificate received from a peer is stored on the local device. The received CA certificate from peer is used to validate the CRL and the certificate it issued. Because the received CA certificate is not enrolled by an administrator, the result of a successful certificate verification is not conclusive until the whole certificate chain up to the root CA is verified. The certificate of the root CA must be enrolled by an administrator.
See Also
Example: Configuring a Certificate Authority Profile with CRL Locations
This example shows how to configure a certificate authority profile with CRL locations.
Requirements
Before you begin:
Generate a key pair in the device. See Digital Certificates.
Create a CA profile or profiles containing information specific to a CA. See Example: Configuring a CA Profile.
Obtain a personal certificate from the CA. See Example: Manually Generating a CSR for the Local Certificate and Sending It to the CA Server.
Load the certificate onto the device. See Example: Loading CA and Local Certificates Manually.
Configure automatic reenrollment. See Example: Configuring SecurID User Authentication.
If necessary, load the certificate's CRL on the device. See Example: Manually Loading a CRL onto the Device.
Overview
In this example, you direct the device to check the validity of the CA profile called
my_profile
and, if a CRL did not accompany a CA certificate and
is not loaded on the device, to retrieve the CRL from the URL
http://abc/abc-crl.crl
.
Configuration
Procedure
Step-by-Step Procedure
To configure certificate using CRL:
Specify the CA profile and URL.
[edit] user@host# set security pki ca-profile my_profile revocation-check crl url http://abc/abc-crl.crl
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Verification
To verify the configuration is working properly,
enter the show security pki
operational mode command.
Example: Verifying Certificate Validity
This example shows how to verify the validity of a certificate.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, you verify certificates manually to find out whether a certificate has been revoked or whether the CA certificate used to create a local certificate is no longer present on the device.
When you verify certificates manually, the device uses the CA
certificate (ca-cert
) to verify the local certificate ( local.cert
). If the local certificate is valid, and if revocation-check
is enabled in the CA profile, the device verifies
that the CRL is loaded and valid. If the CRL is not loaded and valid,
the device downloads the new CRL.
For CA-issued certificates or CA certificates, a DNS must be configured in the device’s configuration. The DNS must be able to resolve the host in the distribution CRL and in the CA cert/revocation list url in the ca-profile configuration. Additionally, you must have network reachability to the same host in order for the checks to receive.
Configuration
Procedure
Step-by-Step Procedure
To manually verify the validity of a certificate:
Verify the validity of a local certificate.
[edit] user@host> request security pki local-certificate verify certificate-id local.cert
Verify the validity of a CA certificate.
[edit] user@host> request security pki ca-certificate verify ca-profile ca-profile-ipsec
The associated private key and the signature are also verified.
Verification
To verify the configuration is working properly,
enter the show security pki ca-profile
command.
If an error is returned instead of a positive verification the failure is logged in pkid.
Deleting a Loaded CRL (CLI Procedure)
You can choose to delete a loaded CRL if you no longer need to use it to manage certificate revocations and validation.
Use the following command to delete a loaded certificate revocation list:
user@host>
clear security pki crl ca-profile (ca-profile all)
Specify a CA profile to delete a CRL associated
with the CA identified by the profile, or use all
to delete
all CRLs.