OCSP Certificate Validation Connection


Online Certificate Status Protocol (OCSP) is an automated certificate checking network protocol. The API Gateway can query an OCSP responder for the status of a certificate. The responder returns whether the certificate is still trusted by the CA that issued it.

To validate a certificate using an OCSP lookup, the issuing CA certificate should be trusted by the API Gateway. This is because for an OCSP request, the protocol stipulates that the CA public key must be submitted as part of the request. The issuing CA public key is not always included in the certificates that it issues, so it is necessary to retrieve it from the API Gateway's certificate store instead. For more information on how to trust CA certificates, see the Certificates and Keys tutorial.

You can add OCSP Connections under the External Connections node in the Policy Studio tree. To add a global OCSP Connection, right-click the OCSP Connections node, and select Add an OCSP Connection.


Configure the following fields on the Certificate Validation - OCSP dialog:


Enter a name for this OCSP connection.

URL Group:

Select a group of OCSP responders from the URL Group drop-down list.

The API Gateway attempts to connect to the OCSP responders in the selected group in a round-robin fashion. It attempts to connect to the responders with the highest priority first, before connecting to responders with a lower priority.

You can add, edit, or remove URL Groups by selecting the appropriate button. For more information on adding and editing URL groups, see the Configuring URL Groups topic.

User Name:

Requests to OCSP responders can be signed by a user to whom the Sign OCSP or XKMS Requests privilege has been assigned. Only those users who have been assigned this privilege are displayed in the drop-down list. For more information on assigning privileges to users, see the API Gateway Users tutorial.

Signing Key:

Click the Signing Key button to open the list of certificates in the Certificate Store. You can then select the key to use to sign requests to XKMS responders. This user must have been granted the Sign OCSP or XKMS Requests privilege.

Validate Response:

If the OCSP responders sign responses, select this checkbox to force the API Gateway to validate the signature on the response from the OCSP responder.