ocsp協議_什麼是線上證書狀態協議(OCSP)和示例教程?
ocsp協議
Certificates like SSL, X.509 are used to secure network traffic. But every certificate has its own life cycle in a distributed environmentlike the internet we should manage them. Online Certificate Status Protocol aka OCSP is used to manage certificates validity and lifecycle.
SSL,X.509等證書用於保護網路流量。 但是每個證書在像Internet這樣的分散式環境中都有其自己的生命週期,我們應該對其進行管理。 線上證書狀態協議(又稱OCSP)用於管理證書的有效性和生命週期。
OCSP standard is defined in RFC 6960 with the name of X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. It makes absolute previously defined certificate control protocol PKIX.
OCSP標準在RFC 6960中定義,名稱為X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
OCSP (OCSP)
The Online Certificate Status Protocol (OCSP) enables applications to determine the (revocation) state of identified certificates. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificates in question until the responder provides a response.
線上證書狀態協議(OCSP)使應用程式可以確定已標識證書的(吊銷)狀態。 與CRL相比,OCSP可以用來滿足提供更及時的吊銷資訊的一些操作要求,也可以用來獲取其他狀態資訊。 OCSP客戶端向OCSP響應者發出狀態請求,並暫停接受有關證書,直到響應者提供響應為止。
OCSP要求 (OCSP Request)
When we try t make a request to the OCSP server following information must exist in an OCSPrequest.
當我們嘗試向OCSP伺服器發出請求時,OCSP請求中必須存在以下資訊。
- `Protocol Version` 協議版本
- `Service Request`服務請求
- `Target Certificate Identifier`目標證書識別符號
OCSP伺服器(OCSP Server)
OCSP Servers provides services by using OCSP protocol. A client can be interactivelychecked the X.509 or SSL certificate status. Thecheck will be done with the certificate serial number.
OCSP伺服器通過使用OCSP協議提供服務。 可以互動檢查客戶端的X.509或SSL證書狀態。 將使用證書序列號進行檢查。
We can see that the given certificate is valid between 16/12/2018 and 16/12/2019. If this certificate is stolen the OCSP can be used to make the certificate invalid before its valid dates.
我們可以看到給定的證書在16/12/2018和16/12/2019之間有效。 如果該證書被盜,則可以使用OCSP使證書在其有效日期之前無效。
OCSP證書狀態響應 (OCSP Certificate Status Response)
When a certificate status is checked followingresponses can be returned from the OCSP server like below.
當檢查證書狀態時,可以從OCSP伺服器返回以下響應,如下所示。
- `Current` means the certificateis valid and can be used. “當前”表示證書有效並且可以使用。
- `Expired` means the certificate is not valid and shouldn’tbe used “過期”表示證書無效,不應使用
- `unknown` means the certificate is not known which is generally occurs for self-signedcertificates.“未知”表示該證書未知,這通常發生在自簽名證書中。
OCSP比證書吊銷列表(CRL)更好 (OCSP is Better Than Certificate Revocation List (CRL))
Before OCSP there was Certificate Revocation List aka CRL. CRL was a bunch of certificates which is invalidor expiredfor different purposes. Every client should download this CRL list for specified intervals. These mechanisms are not secure because
在OCSP之前,有證書吊銷列表(又稱CRL)。 CRL是一堆無效的或出於不同目的已過期的證書。 每個客戶端都應按指定的時間間隔下載此CRL列表。 這些機制不安全,因為
- An invalidcertificate can be used without knowing that.可能會在不知道的情況下使用無效的證書。
- CRL download intervals create security holes CRL下載間隔會造成安全漏洞
- Downloading CRL is not practical and easy下載CRL既不實用也不容易
- Downloading CRL, again and again, will consumebandwidth and storage for unnecessary things.一次又一次地下載CRL,將浪費頻寬和儲存不必要的內容。
翻譯自: https://www.poftut.com/what-is-online-certificate-status-protocol-ocsp-and-tutorial-with-examples/
ocsp協議