AnsweredAssumed Answered

OCSP handling

Question asked by PhBrand on Jan 6, 2017
Latest reply on Jan 9, 2017 by PhBrand

We have to check the revocation status of a client certificates using an OCSP responder.

 

Our client certificates are generated by our PKI and they contains a field with the address of the OCSP responder. We want to use the “authenticate against identity provider” to authenticate our clients check that the certificates sent by the clients are not revoked. So we tried configuring the certificate validation policy from the menu “tasks” > “certificates, keys and secrets” > “Manage certificates” > “certificate validation” but with no success.

 

Our test procedure was the following:

  • Add a user to the internal identity provider
  • Add to this user a certificate generated by the PKI
  • Creating a service using the assertion “authenticate against identity provider”
  • Testing different configurations:
    • We created a revocation checking policy in the “manage certificates” menu
      • We choose “OCSP from certificate URL”
    • We set “Use as default revocation checking policy”
    • In the “Certificate Validation Options” we choose “Revocation checking” for the certificates of type “Identity providers”
    • We also tried to define similar settings in the internal identity provider settings

 

We checked that the machine hosting the gateway can reach the ocsp responder and that the certificates contains the OCSP responder address.

Depending on our configurations the gateway either blocks all the certificates or accepts all of the certificates no matter their status.

 

What settings do you recommend to enable the OCSP revocation checking ,and what could be wrong in the settings we tried to apply?

Outcomes