Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

OCSP for Private CA

0

I am trying to implement OCSP for my Private CA private certificates. I do not want to have to implement a CRL. I have strict performance requirements and want to consider stapling. What is the best approach to accomplish this to maintain performance and efficiency while also remaining secure?

Topics
Security, Identity, & Compliance
Tags
AWS Private Certificate Authority
Language
English
asked a year ago711 views
1 Answer
0
Accepted Answer

OCSP-stapling is the correct approach for better performance and efficiency since it overcomes the limitation of frequent certificate status calls by the client to OCSP endpoints. If you want to utilize OCSP without having a CRL as a backup, consider using the OCSP must-staple certificate extension. You can use OCSP Must-Staple as a flag for the client to break the TLS connection if the certificate status returned is invalid. This will reduce the application availability risk as well by failing the TLS connection when the certificate cannot be validated. You should also note that this is only supported on TLS 1.2 or higher.

To accomplish OCSP stapling this can be done with Amazon CloudFront. When the client requests the server certificate to establish a TLS connection, the server will query the OCSP endpoint through CloudFront where the OCSP response is cached. By doing this the client no longer has to handle certificate validation, which will improve your performance.

https://aws.amazon.com/blogs/security/choosing-the-right-certificate-revocation-method-in-acm-private-ca/

https://aws.amazon.com/blogs/aws/cloudfront-ssl-ciphers-session-ocsp-pfs/

AWS
answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content