CoreStreet scales digital certificates

What's the point of deploying a digital certificate infrastructure if you can't readily check the status of certificates? That's where CoreStreet's Real Time Credentials comes in.

In our test of this system - which uses the Online Certificate Status Protocol (OCSP) - we found that while its unique approach works as advertised, it might be overkill for most companies using a certificate infrastructure. The usefulness of this product will not be fully realized until more applications support OCSP.


How we did it

Fitting OCSP into your Certificate Infrastructure

Archive of Network World reviews

Subscribe to the Product Review newsletter


CoreStreet provides certificate status services through a network of distributed OCSP responders, lightweight servers that do not contain sensitive cryptographic information and can be safely distributed throughout a company.

A central RTC Validation Authority (RTC VA) retrieves the Certificate Revocation List and a list of all issued certificates from the underlying certificate authority to generate proofs, or pre-built OCSP responses (see graphic, right). Then RTC Responders retrieve these proofs from the RTC VA using HTTP and to generate OCSP responses for queries from an OCSP requestor. Security applications that process certificates issue OCSP requests. The application then uses the OCSP response to determine the certificate's validity.

The RTC VA and each RTC Responder are managed separately through a Web-based GUI. There also is a command-line interface to the RTC VA, but we found it incomplete. Each component has its own error log that resides on the individual Validation Authority and Responder systems. There is no capability to integrate these internal log files with an external log management system.

To tap into RTC services, security devices must support Secure Sockets Layer (SSL), 802.1XIPSec or some other certificate-aware protocol, and be configured to check the status of the certificate. Not many applications directly support OCSP yet. Several vendors, including CoreStreet, offer add-on products that enhance Internet Explorer, Internet Information Server and Windows to add status-checking based on OCSP. Mozilla natively supports OCSP, and future versions of Windows will as well.

We installed RTC VA and RTC Responder software on two Windows systems (see How we did it). The documentation provides only a partial installation guide. The default configuration uses some non-standard ports, so you have to reconfigure it to integrate with most certificate authorities. CoreStreet's implementation of OCSP makes assumptions about how your certificate authority works and about how the OCSP requestor works. It expects serial numbers to be sequential, which the standard doesn't require.

RTC VA Web management interface is not configured to support SSL connections by default, and changing the settings to support SSL is not documented. [Note: CoreStreet officials say they have updated the documentation regarding SSL configuration since we tested this product.] The default configuration for the RTC Responder uses SSL, but it uses a self-signed certificate and assumes you have a management workstation that uses a browser configured with client certificates.

The RTC VA interface uses a role-based administrative model. The installation procedure required changing roles frequently, from Administrator (to perform database updates) to Officer (for managing certificates) to Auditor (for checking certificate authority status).

We set up a scenario where the status of the Web server's certificate could be checked. The certificate issued by our OpenSSL certificate authority to the Web server contained the URL of the RTC Responder. The browser used the URL from the certificate to send an OCSP request for certificate status to the Responder.

Our choice of an underpowered platform for the responder proved that the vendor's claims that the RTC Responders are not resource-intensive are true. Both the normal case of a valid certificate and the case where we attempted to use a revoked certificate worked as expected.

Real Time Credentials Authority and Responder OVERALL RATING
3.45
Company: CoreStreet Cost: Pilot installation of 500 users with 1,500 certificates costs $20,000. Pros: Provides distributed OCSP services; scales to very large certificate hierarchies; isolates sensitive cryptographic compo-nents. Cons: Difficult to operate if un-scheduled updates are needed; adds complexity if existing Certificate Authority supports OCSP; requires additional client-side software in many cases.
The breakdown    
Security features 30%  4
Management/ease of use 30%  3
Documentation 20%  3
Installation 10%  4
Standards compliance 10%  3.5
TOTAL SCORE  3.45
Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subpar

Certificate status is updated automatically on a periodic basis. To force immediate change propagation, you have to manually intervene on each component to perform an update. Updating the RTC Validation Authority for a 10,000 certificate Lightweight Directory Access Protocol database took 8 to 9 minutes on our test server.

The vendor says its Validation Authority/Responder configuration solves the problem of poor performance when calculating OCSP responses. In our example with 10,000 certificates, it took 11 seconds for its software to generate all possible responses.

OCSP has not been widely supported in the past, but it now is being built into most commercial and open source certificate authorities. (See more on OCSP.) While the CoreStreet RTC system provides a scalable alternate to these built-in OCSP capabilities, it's really only a necessary addition to your network if you need to manage a huge number of certificates.

Learn more about this topic

Thayer is an independent security consultant. He can be reached at rodney@canola-jones.com.

NW Lab Alliance

Thayer is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.nwfusion.com/alliance.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT