Layer7 API Management

Expand all | Collapse all

OCSP handling

Jump to Best Answer
  • 1.  OCSP handling

    Posted 01-06-2017 06:20 AM

    We have to check the revocation status of a client certificates using an OCSP responder.

     

    Our client certificates are generated by our PKI and they contains a field with the address of the OCSP responder. We want to use the “authenticate against identity provider” to authenticate our clients check that the certificates sent by the clients are not revoked. So we tried configuring the certificate validation policy from the menu “tasks” > “certificates, keys and secrets” > “Manage certificates” > “certificate validation” but with no success.

     

    Our test procedure was the following:

    • Add a user to the internal identity provider
    • Add to this user a certificate generated by the PKI
    • Creating a service using the assertion “authenticate against identity provider”
    • Testing different configurations:
      • We created a revocation checking policy in the “manage certificates” menu
        • We choose “OCSP from certificate URL”
      • We set “Use as default revocation checking policy”
      • In the “Certificate Validation Options” we choose “Revocation checking” for the certificates of type “Identity providers”
      • We also tried to define similar settings in the internal identity provider settings

     

    We checked that the machine hosting the gateway can reach the ocsp responder and that the certificates contains the OCSP responder address.

    Depending on our configurations the gateway either blocks all the certificates or accepts all of the certificates no matter their status.

     

    What settings do you recommend to enable the OCSP revocation checking ,and what could be wrong in the settings we tried to apply?



  • 2.  Re: OCSP handling
    Best Answer

    Posted 01-06-2017 05:09 PM

    Philippe,

     

    Good evening. The OCSP server certificate or the certificate that was used to sign that certificate needs to be trusted in the gateway.

     

    Quick instructions:
    1) In the "Manage Certificates" interface of the Policy Manager, import the OCSP server certificate.
    2) For the imported OCSP certificate check the option "Signing Client Certificates" only. Set the checkbox for trust anchor.
    3) Click the "certificate validation" then "add", set a name, click "add".
    4) Choose type as "OCSP from URL"
    5) Enter the URL and port of the OCSP server (e.g. http://ocsp.example.com:8888)
    6) Click [add] ➜ [search] and choose the server OCSP certificate imported earlier, then click "select", "OK", "OK", "Close", "Close".

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 3.  Re: OCSP handling

    Posted 01-09-2017 08:44 AM

    Hi Stephen,

     

    Thx for the update, will test it and let you know.

     

    Regards,