Certificate revocation lists

证书局（CAS）发行证书吊销清单（CRL）。CRL包含有关无法再信任的证书的信息。例如，假设Ann离开XYZ Corporation。该公司可以将Ann的证书放在CRL上，以防止她使用该钥匙签署消息。

Similarly, you can revoke a certificate if a private key is compromised or if that certificate expired and a new one is in use. Before you trust a public key, make sure that the certificate does not appear on a CRL.

Citrix网关支持以下两种CRL类型：

• CRLs that list the certificates that are revoked or are no longer valid
• 在线证书状态协议（OSCP），一种用于获取X.509证书撤销状态的Internet协议

To add a CRL:

Before you configure the CRL on the Citrix Gateway appliance, make sure that the CRL file is stored locally on the appliance. In the case of a high availability setup, the CRL file must be present on both Citrix Gateway appliances, and the directory path to the file must be the same on both appliances.

If you need to refresh the CRL, you can use the following parameters:

• CRL Name: The name of the CRL being added on the Citrix ADC. Maximum 31 characters.
• CRL文件: The name of the CRL file being added on the Citrix ADC. The Citrix ADC looks for the CRL file in the /var/netscaler/ssl directory by default. Maximum 63 characters.
• URL: Maximum 127 characters
• 基础DN: Maximum 127 characters
• 绑定DN：最大127个字符
• Password: Maximum 31 characters
• Days: Maximum 31

1. 在“配置实用程序”中，在“配置”选项卡上，展开SSL，然后单击CRL。
2. In the details pane, click Add.
3. In the Add CRL dialog box, specify the values for the following:
   • CRL Name
   • CRL文件
   • 格式（可选）
   • CA Certificate (optional)
4. ClickCreateand then clickClose. In the CRL details pane, select the CRL that you configured and verify that the settings that appear at the bottom of the screen are correct.

To configure CRL autorefresh by using LDAP or HTTP in the GUI:

CRL由CA生成和发布，或者有时是在吊销特定证书后立即生成的。Citrix建议您定期更新Citrix Gateway设备上的CRL，以防止试图与无效证书联系的客户。

Citrix Gateway设备可以从Web位置或LDAP目录刷新CRL。当您指定刷新参数和Web位置或LDAP服务器时，在运行命令时，不必在本地硬盘驱动器上存在CRL。第一个刷新将副本存储在本地硬盘驱动器上，在CRL文件参数指定的路径中。存储CRL的默认路径为/var/netscaler/ssl。

CRL refresh parameters

• CRL Name

  CRL的名称在Citrix Gateway上刷新。

• 启用CRL自动刷新

  Enable or disable CRL auto refresh.

• CA Certificate

  The certificate of the CA that has issued the CRL. This CA certificate must be installed on the appliance. The Citrix ADC can update CRLs only from CAs whose certificates are installed on it.

• Method

  Protocol in which to obtain the CRL refresh from a web server (HTTP) or an LDAP server. Possible Values: HTTP, LDAP. Default: HTTP.

• Scope

  The extent of the search operation on the LDAP server. If the scope specified is Base, the search is at the same level as the base DN. If the scope specified is One, the search extends to one level below the base DN.

• Server IP

  检索CRL的LDAP服务器的IP地址。选择IPv6使用IPv6 IP地址。

• Port

  The port number on which the LDAP or the HTTP server communicates.

• URL

  检索CRL的Web位置的URL。

• 基础DN

  The base DN used by the LDAP server to search for the CRL attribute. Note: Citrix recommends using the base DN attribute instead of the Issuer-Name from the CA certificate to search for the CRL in the LDAP server. The Issuer-Name field may not exactly match the LDAP directory structure’s DN.

• Bind DN

  The bind DN attribute is used to access the CRL object in the LDAP repository. The bind DN attributes are the administrator credentials for the LDAP server. Configure this parameter to restrict unauthorized access to the LDAP servers.

• Password

  The administrator password used to access the CRL object in the LDAP repository. Password is required if the access to the LDAP repository is restricted, that is, anonymous access is not allowed.

• 间隔

  The interval at which the CRL refresh must be carried out. For an instantaneous CRL refresh, specify the interval as NOW. Possible values: MONTHLY, DAILY, WEEKLY, NOW, NONE.

• Days

  The day on which the CRL refresh must be performed. The option is not available if the interval is set to DAILY.

• Time

  The exact time in 24-hour format when the CRL refresh must be performed.

• Binary

  将基于LDAP的CRL检索模式设置为二进制。可能的值：是的，不是。默认值：否。

1. 在导航窗格中，展开SSL，然后单击CRL。
2. Select the configured CRL for which you want to update refresh parameters and then click Open.
3. Select the Enable CRL Auto Refresh option.
4. In the CRL Auto Refresh Parameters group, specify values for the following parameters: Note: An asterisk (*) indicates a required parameter.
   • Method
   • Binary
   • Scope
   • Server IP
   • 港口*
   • URL
   • 基础DN*
   • Bind DN
   • Password
   • 间隔
   • Days
   • Time
5. Click Create. In the CRL pane, select the CRL that you configured and verify that the settings that appear at the bottom of the screen are correct.

Monitor certificate status with OCSP

在线证书状态协议(OCSP)是一个ternet protocol that is used to determine the status of a client SSL certificate. Citrix Gateway supports OCSP as defined in RFC 2560. OCSP offers significant advantages over certificate revocation lists (CRLs) in terms of timely information. Up-to-date revocation status of a client certificate is especially useful in transactions involving large sums of money and high-value stock trades. It also uses fewer system and network resources. Citrix Gateway implementation of OCSP includes request batching and response caching.

Citrix网关实施OCSP

OCSP validation on a Citrix Gateway appliance begins when Citrix Gateway receives a client certificate during an SSL handshake. To validate the certificate, Citrix Gateway creates an OCSP request and forwards it to the OCSP responder. To do so, Citrix Gateway either extracts the URL for the OCSP responder from the client certificate or uses a locally configured URL. The transaction is in a suspended state until Citrix Gateway evaluates the response from the server and determines whether to allow the transaction or to reject it. If the response from the server is delayed beyond the configured time and no other responders are configured, Citrix Gateway allows the transaction or displays an error, depending on whether you set the OCSP check to optional or mandatory. Citrix Gateway supports batching of OCSP requests and caching of OCSP responses to reduce the load on the OCSP responder and provide faster responses.

OCSP request batching

Each time Citrix Gateway receives a client certificate, it sends a request to the OCSP responder. To help avoid overloading the OCSP responder, Citrix Gateway can query the status of more than one client certificate in the same request. For request batching to work efficiently, you need to define a time-out so that processing of a single certificate is not delayed while waiting to form a batch.

OCSP响应缓存

收到的OCSP响应缓存的响应der enables faster responses to the user and reduces the load on the OCSP responder. Upon receiving the revocation status of a client certificate from the OCSP responder, Citrix Gateway caches the response locally for a predefined length of time. When a client certificate is received during an SSL handshake, Citrix Gateway first checks its local cache for an entry for this certificate. If an entry is found that is still valid (within the cache time-out limit), the entry is evaluated and the client certificate is accepted or rejected. If a certificate is not found, Citrix Gateway sends a request to the OCSP responder and stores the response in its local cache for a configured length of time.

Configure OCSP certificate status

Configuring an Online Certificate Status Protocol (OCSP) involves adding an OCSP responder, binding the OCSP responder to a signed certificate from a Certificate Authority (CA), and binding the certificate and private key to a Secure Sockets Layer (SSL) virtual server. If you need to bind a different certificate and private key to an OCSP responder that you already configured, you need to first unbind the responder and then bind the responder to a different certificate.

To configure OCSP

1. On the Configuration tab, in the navigation pane, expand SSL and then click OCSP Responder.

2. In the details pane, click Add.

3. In Name, type a name for the profile.

4. In URL, type the web address of the OCSP responder.

   This field is mandatory. The Web address cannot exceed 32 characters.

5. To cache the OCSP responses, click Cache and in Time-out, type the number of minutes that Citrix Gateway holds the response.

6. 和er Request Batching, click Enable.

7. 在批处理延迟中，以毫秒为单位指定时间，以分批一组OCSP请求。

   The values can be from 0 through 10000. The default is 1.

8. 在时间偏斜时生产的过程中，在设备必须检查或接受响应时键入Citrix Gateway可以使用的时间。

9. 和er Response Verification, select Trust Responses if you want to disable signature checks by the OCSP responder.

   If you enable Trust Responses, skip Step 8 and Step 9.

10. In Certificate, select the certificate that is used to sign the OCSP responses.

    如果未选择证书，则使用OCSP响应者的CA用于验证响应。

11. In Request Time-out, type the number of milliseconds to wait for an OCSP response.

    This time includes the Batching Delay time. The values can be from 0 through 120000. The default is 2000.

12. In Signing Certificate, select the certificate and private key used to sign OCSP requests. If you do not specify a certificate and private key, the requests are not signed.

13. 启用一次使用的数字(nonce) extension，选择nonce。

14. To use a client certificate, click Client Certificate Insertion.

15. 单击创建，然后单击关闭。