ocsp协议
Certificates like SSL, X.509 are used to secure network traffic. But every certificate has its own life cycle in a distributed environment like the internet we should manage them. Online Certificate Status Protocol aka OCSP is used to manage certificates validity and lifecycle.
SSL,X.509等证书用于保护网络流量。 但是每个证书在像Internet这样的分布式环境中都有其自己的生命周期,我们应该对其进行管理。 在线证书状态协议(又称OCSP)用于管理证书的有效性和生命周期。
OCSP standard is defined in RFC 6960 with the name of X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. It makes absolute previously defined certificate control protocol PKIX.
OCSP标准在RFC 6960中定义,名称为X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP 。 它使绝对先前定义的证书控制协议PKIX。
OCSP (OCSP)
The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of identified certificates. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificates in question until the responder provides a response.
在线证书状态协议(OCSP)使应用程序可以确定已标识证书的(吊销)状态。 与CRL相比,OCSP可以用来满足提供更及时的吊销信息的一些操作要求,也可以用来获取其他状态信息。 OCSP客户端向OCSP响应者发出状态请求,并暂停接受有关证书,直到响应者提供响应为止。
OCSP要求 (OCSP Request)
When we try t make a request to the OCSP server following information must exist in an OCSP request.
当我们尝试向OCSP服务器发出请求时,OCSP请求中必须存在以下信息。
- `Protocol Version` 协议版本
- `Service Request`服务请求
- `Target Certificate Identifier`目标证书标识符
OCSP服务器(OCSP Server)
OCSP Servers provides services by using OCSP protocol. A client can be interactively checked the X.509 or SSL certificate status. The check will be done with the certificate serial number.
OCSP服务器通过使用OCSP协议提供服务。 可以交互检查客户端的X.509或SSL证书状态。 将使用证书***进行检查。
We can see that the given certificate is valid between 16/12/2018 and 16/12/2019. If this certificate is stolen the OCSP can be used to make the certificate invalid before its valid dates.
我们可以看到给定的证书在16/12/2018和16/12/2019之间有效。 如果该证书被盗,则可以使用OCSP使证书在其有效日期之前无效。
OCSP证书状态响应 (OCSP Certificate Status Response)
When a certificate status is checked following responses can be returned from the OCSP server like below.
当检查证书状态时,可以从OCSP服务器返回以下响应,如下所示。
- `Current` means the certificate is valid and can be used. “当前”表示证书有效并且可以使用。
- `Expired` means the certificate is not valid and shouldn’t be used “过期”表示证书无效,不应使用
- `unknown` means the certificate is not known which is generally occurs for self-signed certificates.“未知”表示该证书未知,这通常发生在自签名证书中。
OCSP比证书吊销列表(CRL)更好 (OCSP is Better Than Certificate Revocation List (CRL))
Before OCSP there was Certificate Revocation List aka CRL. CRL was a bunch of certificates which is invalid or expired for different purposes. Every client should download this CRL list for specified intervals. These mechanisms are not secure because
在OCSP之前,有证书吊销列表(又称CRL)。 CRL是一堆无效的或出于不同目的已过期的证书。 每个客户端都应按指定的时间间隔下载此CRL列表。 这些机制不安全,因为
- An invalid certificate can be used without knowing that.可能会在不知道的情况下使用无效的证书。
- CRL download intervals create security holes CRL下载间隔会造成安全漏洞
- Downloading CRL is not practical and easy下载CRL既不实用也不容易
- Downloading CRL, again and again, will consume bandwidth and storage for unnecessary things.一次又一次地下载CRL,将浪费带宽和存储不必要的内容。
翻译自: https://www.poftut.com/what-is-online-certificate-status-protocol-ocsp-and-tutorial-with-examples/
ocsp协议