Server certificate configuration for OCSP stapling
AWS IoT Core supports Online
Certificate Status Protocol (OCSP)
You can enable server certificate OCSP stapling in AWS IoT Core to check the validity of the certificate by querying the OCSP responder periodically. The OCSP stapling setting is part of the process to create or update a domain configuration with a custom domain. OCSP stapling checks for revocation status on the server certificate continuously. This helps verify that any certificates that have been revoked by the CA are no longer trusted by the clients connecting to your custom domains. For more information, see Enabling server certificate OCSP stapling in AWS IoT Core.
Server certificate OCSP stapling provides real-time revocation status check, reduces the latency associated with checking the revocation status, and improves privacy and reliability of secure connections. For more information about the benefits of using OCSP stapling, see Benefits of using OCSP stapling compared to client-side OCSP checks.
Note
This feature is not available in AWS GovCloud (US) Regions.
In this topic:
What is OCSP?
Key concepts
The following concepts provide details about OCSP and related concepts.
OCSP
OCSP
OCSP responder
An OCSP responder (also known as OCSP server) receives and responds to OCSP requests from clients that seek to verify the revocation status of certificates.
Client-side OCSP
In client-side OCSP, the client uses OCSP to contact an OCSP responder to check the certificate's revocation status during the Transport Layer Security (TLS) handshake.
Server-side OCSP
In server-side OCSP (also known as OCSP stapling), the server is enabled (rather than the client) to make the request to the OCSP responder. The server staples the OCSP response to the certificate and returns it to the client during the TLS handshake.
OCSP diagrams
The following diagram illustrates how client-side OCSP and server-side OCSP work.
Client-side OCSP
The client sends a
ClientHello
message to initiate the TLS handshake with the server.The server receives the message and responds with a
ServerHello
message. The server also sends the server certificate to the client.The client validates the server certificate and extracts an OCSP URI from it.
The client sends a certificate revocation check request to the OCSP responder.
The OCSP responder sends an OCSP response.
The client validates the certificate status from the OCSP response.
The TLS handshake is completed.
Server-side OCSP
-
The client sends a
ClientHello
message to initiate the TLS handshake with the server. The server receives the message and gets the latest cached OCSP response. If the cached response is missing or expired, the server will call the OCSP responder for certificate status.
The OCSP responder sends an OCSP response to the server.
The server sends a
ServerHello
message. The server also sends the server certificate and the certificate status to the client.The client validates the OCSP certificate status.
The TLS handshake is completed.
How OCSP stapling works
OCSP stapling is used during the Transport Layer Security (TLS) handshake between the client and the server to check the server certificate revocation status. The server makes the OCSP request to the OCSP responder and staples the OCSP responses to the certificates returned to the client. By having the server make the request to the OCSP responder, the responses can be cached and then used multiple times for many clients.
How OCSP stapling works in AWS IoT Core
The following diagram shows how server-side OCSP stapling works in AWS IoT Core.
-
The device needs to be registered with custom domains with OCSP stapling enabled.
-
AWS IoT Core calls OCSP responder every hour to get the certificate status.
-
The OCSP responder receives the request, sends the latest OCSP response, and stores the cached OCSP response.
-
The device sends a
ClientHello
message to initiate the TLS handshake with AWS IoT Core. -
AWS IoT Core gets the latest OCSP response from the server cache, which responds with an OCSP response of the certificate.
-
The server sends a
ServerHello
message to the device. The server also sends the server certificate and the certificate status to the client. -
The device validates the OCSP certificate status.
-
The TLS handshake is completed.
Benefits of using OCSP stapling compared to client-side OCSP checks
A few advantages of using server certificate OCSP stapling are summarized as follows:
Improved privacy
Without OCSP stapling, the client's device can expose information to third-party OCSP responders, potentially compromising user privacy. OCSP stapling mitigates this issue by having the server obtain the OCSP response and deliver it directly to the client.
Improved reliability
OCSP stapling can improve the reliability of secure connections because it reduces the risk of OCSP server outages. When OCSP responses are stapled, the server includes the most recent response with the certificate. This is so that clients have access to the revocation status even if the OCSP responder is temporarily unavailable. OCSP stapling helps mitigate these problems because the server fetches OCSP responses periodically and includes the cached responses in the TLS handshake, reducing reliance on the real-time availability of OCSP responders.
Reduced server load
OCSP stapling offloads the burden of responding to OCSP requests from OCSP responders to the server. This can help distribute the load more evenly, making the certificate validation process more efficient and scalable.
Reduced latency
OCSP stapling reduces the latency associated with checking the revocation status of a certificate during the TLS handshake. Instead of the client having to query an OCSP server separately, the server sends the request and attaches the OCSP response with the server certificate during the handshake.
Enabling server certificate OCSP stapling in AWS IoT Core
To enable server certificate OCSP stapling in AWS IoT Core, you must create a domain configuration for a custom domain or update an existing custom domain configuration. For general information about creating a domain configuration with a custom domain, see Creating and configuring custom domains.
Use the following instructions to enable OCSP server stapling using AWS Management Console or AWS CLI.
To enable server certificate OCSP stapling using AWS IoT console:
Choose Settings from the left navigation of the menu, then choose Create domain configuration or an existing domain configuration for a custom domain.
If you choose to create a new domain configuration from the previous step, you will see the Create domain configuration page. In the Domain configuration properties section, choose Custom domain. Enter the information to create a domain configuration.
If you choose to update an existing domain configuration for a custom domain, you will see the Domain configuration details page. Choose Edit.
To enable OCSP server stapling, choose Enable server certificate OCSP stapling in the Server certificate configurations subsection.
-
Choose Create domain configuration or Update domain configuration.
To enable server certificate OCSP stapling using AWS CLI:
If you create a new domain configuration for a custom domain, the command to enable the OCSP server stapling can look like the following:
aws iot create-domain-configuration --domain-configuration-name "myDomainConfigurationName" \ --server-certificate-arns arn:aws:iot:
us-east-1:123456789012
:cert/f8c1e5480266caef0fdb1bf97dc1c82d7ba2d3e2642c5f25f5ba364fc6b79ba3
\ --server-certificate-config "enableOCSPCheck=true|false"If you update an existing domain configuration for a custom domain, the command to enable the OCSP server stapling can look like the following:
aws iot update-domain-configuration --domain-configuration-name "myDomainConfigurationName" \ --server-certificate-arns arn:aws:iot:
us-east-1:123456789012
:cert/f8c1e5480266caef0fdb1bf97dc1c82d7ba2d3e2642c5f25f5ba364fc6b79ba3
\ --server-certificate-config "enableOCSPCheck=true|false"
For more information, see CreateDomainConfiguration and UpdateDomainConfiguration from the AWS IoT API Reference.
Important notes for using server certificate OCSP stapling in AWS IoT Core
When you use server certificate OCSP in AWS IoT Core, keep the following in mind:
-
AWS IoT Core supports only those OCSP responders that are reachable over public IPv4 addresses.
-
The OCSP stapling feature in AWS IoT Core doesn't support authorized responder. All OCSP responses must be signed by the CA that signed the certificate, and the CA must be part of the certificate chain of the custom domain.
-
The OCSP stapling feature in AWS IoT Core doesn't support custom domains that are created using self-signed certificates.
-
AWS IoT Core calls an OCSP responder every hour and caches the response. If the call to the responder fails, AWS IoT Core will staple the most recent valid response.
-
If
nextUpdateTime
is no longer valid, AWS IoT Core will remove the response from the cache, and TLS handshake will not include the OCSP response data until the next successful call to the OCSP responder. This can happen when the cached response has expired before the server gets a valid response from the OCSP responder. The value ofnextUpdateTime
suggests that the OCSP response will be valid until this time. For more information aboutnextUpdateTime
, see Server certificate OCSP log entries. -
Sometimes, AWS IoT Core fails to receive the OCSP response or removes the existing OCSP response because it's expired. If situations like these happen, AWS IoT Core will continue to use the server certificate provided by the custom domain without the OCSP response.
-
The size of the OCSP response cannot exceed 4 KiB.
Troubleshooting server certificate OCSP stapling in AWS IoT Core
AWS IoT Core emits the RetrieveOCSPStapleData.Success
metric and the
RetrieveOCSPStapleData
log entries to CloudWatch. The metric and the log
entries can help detect issues related to retrieving OCSP responses. For more
information, see Server certificate OCSP stapling metrics and Server certificate OCSP log entries.