Access: Online Certificate Status Protocol (OCSP) Client Certificate Validation
It is possible to configure Client Certificate Validation using OCSP.
To use the OCSP Client Certificate Validation, do the following:
Log in to your Next Generation Hardware Appliance.
Open the Access page.
In the section OCSP Client Certificate Validation, a list with the interfaces is displayed.
In the column Actions click Configure to open the corresponding form:
The OCSP Responder Configuration form enables the following configurations:
The OCSP Status has three option in a scroll down menu:
Disabled: No OCSP checks.
This option disables OCSP validation of the client certificate chain.
Enabled: Activates OCSP client certificate validation.
This option enables OCSP validation of the client certificate chain. If this option is activated, the certificates in the client's certificate chain are checked with an OCSP responder after the normal check (including CRL checks) has taken place.
Enabled (Leaf-Mode): If this option is activated, only the client certificate itself will be validated.
General Settings:
Use internal EJBCA as OSCP responder:
AIA + internal EJBCA OCSP endpoint.
If this option is activated by checking the box, the OCSP responder URI (Uniform Resource Identifier) is set to the internal EJBCA OCSP responder.
If the box is not check marked the Default OCSP Responder URI is set.
If you do not only use this OCSP responder, the specified URI is only used if no responder URI is specified in the certificate.
Default OCSP Responder URI
AIA + custom OCSP endpoint.
This option specifies the default OCSP responder to be used. If you do not use only this OCSP responder, the specified URI is only used if no responder URI is specified in the certificate to be checked.
Use only this OCSP Responder
If this option is activated, it forces the use of the configured OCSP responder in the OCSP certificate check. This happens regardless of whether the certificate to be checked refers to an OCSP responder.
Do not verify the OCSP result
If this option is activated, it skips the OCSP responder certificates verification.
This is mostly useful when testing an OCSP server.
Click Save Configuration to confirm your setting.
Note that you cannot activate OCSP on the default interface.