We have to check the revocation status of a client certificates using an OCSP responder.
Our client certificates are generated by our PKI and they contains a field with the address of the OCSP responder. We want to use the “authenticate against identity provider” to authenticate our clients check that the certificates sent by the clients are not revoked. So we tried configuring the certificate validation policy from the menu “tasks” > “certificates, keys and secrets” > “Manage certificates” > “certificate validation” but with no success.
Our test procedure was the following:
We checked that the machine hosting the gateway can reach the ocsp responder and that the certificates contains the OCSP responder address.
Depending on our configurations the gateway either blocks all the certificates or accepts all of the certificates no matter their status.
What settings do you recommend to enable the OCSP revocation checking ,and what could be wrong in the settings we tried to apply?
Good evening. The OCSP server certificate or the certificate that was used to sign that certificate needs to be trusted in the gateway.
Quick instructions:1) In the "Manage Certificates" interface of the Policy Manager, import the OCSP server certificate.2) For the imported OCSP certificate check the option "Signing Client Certificates" only. Set the checkbox for trust anchor.3) Click the "certificate validation" then "add", set a name, click "add".4) Choose type as "OCSP from URL"5) Enter the URL and port of the OCSP server (e.g. http://ocsp.example.com:8888) 6) Click [add] ➜ [search] and choose the server OCSP certificate imported earlier, then click "select", "OK", "OK", "Close", "Close".
Director, CA Support
Thx for the update, will test it and let you know.