AnsweredAssumed Answered

API GW - OCSP / CRL only use outbound proxy

Question asked by CBertagnolli Champion on Oct 4, 2017
Latest reply on Dec 5, 2017 by CBertagnolli

I've run into a little issue with the API GW on an internal network and trying to see if anyone has run into it or knows a way around it.

 

We trust a number of issuers for certificates external to us. Their OCSP/CRL locations are out on the public internet but the user may be inside our private network. So the API GW needs to go outbound to the internet to retrieve those decisions.

 

I see there's Default HTTP Proxy and other options for setting up a proxy. The problem there is that it would be proxying all the traffic or for known hosts, right?

 

In this case, the locations vary based on the issuer and that issuer list is regularly updated. That location may also change in a cert without us knowing (rare but possible). I don't want to send all traffic out via that proxy but do need the OCSP/CRL checks to go outbound through it....

 

Is there any way to force just OCSP/CRL revocation checks to use the outbound proxy?

Outcomes