Tuesday, January 18, 2011

Certificate Authority - Network Ports?

We are optimizing our QOS router settings and it was decided that we should give priority to our PKI infrastructure. As far as I'm aware, there is network traffic when certificates are verified and when they are checked against the certificate revocation list (CRL). There may be some other reasons for network activity that I am not aware of.

What ports are associated with certificate-related network activity? Thanks.

  • That depends on what the revocation data on the certificate is configured for. It can change. Some use HTTP/HTTPS (TCP/80 and 443), others can use LDAP (TCP/389 and TCP/636 for secure) for that. Still others can use file paths, of all things, which can require SMB connectivity or other methods.

    In other words, it uses basic network protocols and to my knowledge doesn't use special ports for that. As I said, the CRL locations are encoded on the certificates themselves and can be pretty much anything.

  • On-the-fly certificate revocation uses Online Certificate Status Protocol.

    The port for this protocol isn't standardised, though - it's specified in the OCSP URL in the CA cert.

    From Alnitak

0 comments:

Post a Comment