OCSP Certificate Validation

• Overview
• Configuration

Overview

Online Certificate Status Protocol (OCSP) is an automated certificate checking network protocol. The Enterprise Gateway can query an OCSP responder for the status of a certificate. The responder returns whether the certificate is still trusted by the CA that issued it.

To validate a certificate using an OCSP lookup, the issuing CA certificate should be trusted by the Enterprise Gateway. This is because for an OCSP request, the protocol stipulates that the CA public key must be submitted as part of the request. The issuing CA public key is not always included in the certificates that it issues, so it is necessary to retrieve it from the Enterprise Gateway's certificate store instead. For more information on how to trust CA certificates, see the Certificate tutorial.

Configuration

The table on the Certificate Validation - OCSP screen lists the currently available global OCSP Connections. You can add OCSP Connections on the External Connections tab in Policy Studio.

Configure the following fields on the Certificate Validation - OCSP dialog:

Name:
Enter an appropriate name for this OCSP filter.

OCSP Connection:
Select one or more global OCSP Connections from the table. To add a global OCSP Connection, on the External Connections tab, right-click the OCSP Connections node, and select Add an OCSP Connection. For more information on configuring these connections, see the OCSP Connection topic.