The webserver is poorly configured regarding revoked certificates. Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) ensure that users can verify the integrity of a server certificate.
CVSS vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
The web server is poorly configured regarding revoked certificates. Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) ensure that users can verify the integrity of a server certificate. If your certificate is compromised, these techniques allow you respectively your certificate authority (CA) to revoke the compromised certificate. Therefore, you can issue a new (valid) certification, and the compromised certificate (used by an attacker) will produce warnings when a user accesses their website.
OCSP is the newer method to revoke certificates, as it allows certificate authorities to revoke certificates much faster without the need to update complete revocation lists potentially containing thousands of certificates
Use one of the following options to making sure that your certificates can be adequately revoked:
Unfortunately, you cannot enable OCSP solely on your own. Your certificate authority needs to operate the OCSP server and store the certificate information there. If your CA does not offer OCSP, consider switching to a CA that supports this feature. If your CA supports OCSP, follow these guides to create a certificate with OCSP enabled.
OCSP stapling is an addition to OSCP, where the webserver retrieves the OCSP answer from the OCSP server, which contains a signed timestamp. This answer is sent to the client on the original request. Therefore, the client does not need to send an additional request to the OCSP server. This increases the users' privacy as the CA does not get requests from your users who are accessing your web application.
With Let's Encrypt, it is straightforward to enable OCSP stapling. When creating a new certificate, just add the
--staple-ocsp flag. If Let's Encrypt has generated your credentials, just run the same command and choose Attempt to reinstall this existing certificate as the first option. This will reuse your certificate and enable OCSP stapling.
certbot run -d [DOMAIN] --staple-ocsp --hsts
On Apache, you need to get the full certificate chain from your certificate authority and store them in the
file/etc/ssl/ca-certs.pem. Then update your SSL configuration to include the
Header always set Strict-Transport-Security "max-age=31536000"
On Nginx, you need to get the entire certificate chain from your certificate authority and store them in the file
/etc/ssl/ca-certs.pem. Then update your SSL configuration to include the
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; ";
index index.html index.htm;