Server certificate configuration for OCSP stapling - Amazon IoT Core
What is OCSP?How OCSP stapling worksEnabling server certificate OCSP stapling in Amazon IoT CoreImportant notes for using server certificate OCSP stapling in Amazon IoT CoreTroubleshooting server certificate OCSP stapling in Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Server certificate configuration for OCSP stapling

Amazon IoT Core supports Online Certificate Status Protocol (OCSP) stapling for server certificate, also known as server certificate OCSP stapling, or OCSP stapling. It is a security mechanism used to check the revocation status on the server certificate in a Transport Layer Security (TLS) handshake. OCSP stapling in Amazon IoT Core lets you add an additional layer of verification to your custom domain's server certificate validity.

You can enable server certificate OCSP stapling in Amazon IoT Core to check the validity of the certificate by querying the OCSP responder periodically. The OCSP stapling setting is part of the process to create or update a domain configuration with a custom domain. OCSP stapling checks for revocation status on the server certificate continuously. This helps verify that any certificates that have been revoked by the CA are no longer trusted by the clients connecting to your custom domains. For more information, see Enabling server certificate OCSP stapling in Amazon IoT Core.

Server certificate OCSP stapling provides real-time revocation status check, reduces the latency associated with checking the revocation status, and improves privacy and reliability of secure connections. For more information about the benefits of using OCSP stapling, see Benefits of using OCSP stapling compared to client-side OCSP checks.

Note

This feature is not available Amazon GovCloud (US) Regions.

What is OCSP?

Key concepts

The following concepts provide details about OCSP and related concepts.

OCSP

OCSP is used to check the certificate revocation status during the Transport Layer Security (TLS) handshake. OCSP allows for real-time validation of certificates. This confirms that the certificate hasn't been revoked or expired since it was issued. OCSP is also more scalable compared with traditional Certificate Revocation Lists (CRLs). OCSP responses are smaller and can be efficiently generated, making them more suitable for large-scale Private Key Infrastructures (PKIs).

OCSP responder

An OCSP responder (also known as OCSP server) receives and responds to OCSP requests from clients that seek to verify the revocation status of certificates.

Client-side OCSP

In client-side OCSP, the client uses OCSP to contact an OCSP responder to check the certificate's revocation status during the Transport Layer Security (TLS) handshake.

Server-side OCSP

In server-side OCSP (also known as OCSP stapling), the server is enabled (rather than the client) to make the request to the OCSP responder. The server staples the OCSP response to the certificate and returns it to the client during the TLS handshake.

OCSP diagrams

The following diagram illustrates how client-side OCSP and server-side OCSP work.

Client-side OCSP and server-side OCSP diagrams
Client-side OCSP

  1. The client sends a ClientHello message to initiate the TLS handshake with the server.

  2. The server receives the message and responds with a ServerHello message. The server also sends the server certificate to the client.

  3. The client validates the server certificate and extracts an OCSP URI from it.

  4. The client sends a certificate revocation check request to the OCSP responder.

  5. The OCSP responder sends an OCSP response.

  6. The client validates the certificate status from the OCSP response.

  7. The TLS handshake is completed.

Server-side OCSP

  1. The client sends a ClientHello message to initiate the TLS handshake with the server.

  2. The server receives the message and gets the latest cached OCSP response. If the cached response is missing or expired, the server will call the OCSP responder for certificate status.

  3. The OCSP responder sends an OCSP response to the server.

  4. The server sends a ServerHello message. The server also sends the server certificate and the certificate status to the client.

  5. The client validates the OCSP certificate status.

  6. The TLS handshake is completed.

How OCSP stapling works

OCSP stapling is used during the Transport Layer Security (TLS) handshake between the client and the server to check the server certificate revocation status. The server makes the OCSP request to the OCSP responder and staples the OCSP responses to the certificates returned to the client. By having the server make the request to the OCSP responder, the responses can be cached and then used multiple times for many clients.

How OCSP stapling works in Amazon IoT Core

The following diagram shows how server-side OCSP stapling works in Amazon IoT Core.

This diagram shows how server-side OCSP stapling works in Amazon IoT Core.

  1. The device needs to be registered with custom domains with OCSP stapling enabled.

  2. Amazon IoT Core calls OCSP responder every hour to get the certificate status.

  3. The OCSP responder receives the request, sends the latest OCSP response, and stores the cached OCSP response.

  4. The device sends a ClientHello message to initiate the TLS handshake with Amazon IoT Core.

  5. Amazon IoT Core gets the latest OCSP response from the server cache, which responds with an OCSP response of the certificate.

  6. The server sends a ServerHello message to the device. The server also sends the server certificate and the certificate status to the client.

  7. The device validates the OCSP certificate status.

  8. The TLS handshake is completed.

Benefits of using OCSP stapling compared to client-side OCSP checks

A few advantages of using server certificate OCSP stapling are summarized as follows:

Improved privacy

Without OCSP stapling, the client's device can expose information to third-party OCSP responders, potentially compromising user privacy. OCSP stapling mitigates this issue by having the server obtain the OCSP response and deliver it directly to the client.

Improved reliability

OCSP stapling can improve the reliability of secure connections because it reduces the risk of OCSP server outages. When OCSP responses are stapled, the server includes the most recent response with the certificate. This is so that clients have access to the revocation status even if the OCSP responder is temporarily unavailable. OCSP stapling helps mitigate these problems because the server fetches OCSP responses periodically and includes the cached responses in the TLS handshake, reducing reliance on the real-time availability of OCSP responders.

Reduced server load

OCSP stapling offloads the burden of responding to OCSP requests from OCSP responders to the server. This can help distribute the load more evenly, making the certificate validation process more efficient and scalable.

Reduced latency

OCSP stapling reduces the latency associated with checking the revocation status of a certificate during the TLS handshake. Instead of the client having to query an OCSP server separately, the server sends the request and attaches the OCSP response with the server certificate during the handshake.

Enabling server certificate OCSP stapling in Amazon IoT Core

To enable server certificate OCSP stapling in Amazon IoT Core, you must create a domain configuration for a custom domain or update an existing custom domain configuration. For general information about creating a domain configuration with a custom domain, see Creating and configuring custom domains.

Use the following instructions to enable OCSP server stapling using Amazon Web Services Management Console or Amazon CLI.

To enable server certificate OCSP stapling using Amazon IoT console:

  1. Choose Settings from the left navigation of the menu, then choose Create domain configuration or an existing domain configuration for a custom domain.

  2. If you choose to create a new domain configuration from the previous step, you will see the Create domain configuration page. In the Domain configuration properties section, choose Custom domain. Enter the information to create a domain configuration.

    If you choose to update an existing domain configuration for a custom domain, you will see the Domain configuration details page. Choose Edit.

  3. To enable OCSP server stapling, choose Enable server certificate OCSP stapling in the Server certificate configurations subsection.

  4. Choose Create domain configuration or Update domain configuration.

To enable server certificate OCSP stapling using Amazon CLI:

  1. If you create a new domain configuration for a custom domain, the command to enable the OCSP server stapling can look like the following:

    aws iot create-domain-configuration --domain-configuration-name "myDomainConfigurationName" \
        --server-certificate-arns arn:aws:iot:us-east-1:123456789012:cert/f8c1e5480266caef0fdb1bf97dc1c82d7ba2d3e2642c5f25f5ba364fc6b79ba3 \
        --server-certificate-config "enableOCSPCheck=true|false"

  2. If you update an existing domain configuration for a custom domain, the command to enable the OCSP server stapling can look like the following:

    aws iot update-domain-configuration --domain-configuration-name "myDomainConfigurationName" \
        --server-certificate-arns arn:aws:iot:us-east-1:123456789012:cert/f8c1e5480266caef0fdb1bf97dc1c82d7ba2d3e2642c5f25f5ba364fc6b79ba3 \
        --server-certificate-config "enableOCSPCheck=true|false"

For more information, see CreateDomainConfiguration and UpdateDomainConfiguration from the Amazon IoT API Reference.

Important notes for using server certificate OCSP stapling in Amazon IoT Core

When you use server certificate OCSP in Amazon IoT Core, keep the following in mind:

  1. Amazon IoT Core supports only those OCSP responders that are reachable over public IPv4 addresses.

  2. The OCSP stapling feature in Amazon IoT Core doesn't support authorized responder. All OCSP responses must be signed by the CA that signed the certificate, and the CA must be part of the certificate chain of the custom domain.

  3. The OCSP stapling feature in Amazon IoT Core doesn't support custom domains that are created using self-signed certificates.

  4. Amazon IoT Core calls an OCSP responder every hour and caches the response. If the call to the responder fails, Amazon IoT Core will staple the most recent valid response.

  5. If nextUpdateTime is no longer valid, Amazon IoT Core will remove the response from the cache, and TLS handshake will not include the OCSP response data until the next successful call to the OCSP responder. This can happen when the cached response has expired before the server gets a valid response from the OCSP responder. The value of nextUpdateTime suggests that the OCSP response will be valid until this time. For more information about nextUpdateTime, see Server certificate OCSP log entries.

  6. Sometimes, Amazon IoT Core fails to receive the OCSP response or removes the existing OCSP response because it's expired. If situations like these happen, Amazon IoT Core will continue to use the server certificate provided by the custom domain without the OCSP response.

  7. The size of the OCSP response cannot exceed 4 KiB.

Troubleshooting server certificate OCSP stapling in Amazon IoT Core

Amazon IoT Core emits the RetrieveOCSPStapleData.Success metric and the RetrieveOCSPStapleData log entries to CloudWatch. The metric and the log entries can help detect issues related to retrieving OCSP responses. For more information, see Server certificate OCSP stapling metric and Server certificate OCSP log entries.