OCSP Certificate Validation


Online Certificate Status Protocol (OCSP) is an automated certificate checking network protocol. The API Gateway can query an OCSP responder for the status of a certificate. The responder returns whether the certificate is still trusted by the CA that issued it.

To validate a certificate using an OCSP lookup, the issuing CA certificate should be trusted by the API Gateway. This is because for an OCSP request, the protocol stipulates that the CA public key must be submitted as part of the request. The issuing CA public key is not always included in the certificates that it issues, so it is necessary to retrieve it from the API Gateway's certificate store instead. For more information on how to trust CA certificates, see the Certificates and Keys tutorial.


Configure the following fields on the Certificate Validation - OCSP dialog:


Enter an appropriate name for this OCSP filter.

OCSP Connection:

Click the button on the right, and select an OCSP connection in the tree. To add an OCSP connection, right-click the OCSP Connections node, and select Add an OCSP Connection. Alternatively, you can configure an OCSP connection under the External Connections node in the Policy Studio tree. For more details, see the OCSP Certificate Validation Connection topic.