Federation Manager Guide › Key and Certificate Management to Secure Federation Messages › How to Verify that Certificates are Valid using OCSP › OCSP Prerequisites

OCSP Prerequisites

Set up the following components to use OCSP for certificate validation:

• Set up an OCSP responder.
• Store an OCSP trusted responder certificate in the certificate data store. The responder certificate validates the signature of an OCSP response returned to Federation Manager. This certificate is a single trusted verification certificate or a collection of certificates.

  Obtain these certificates from your CA in a communication that is separate from an OCSP transaction.

  Federation Manager can work with any OCSP response that is signed using SHA-1 and the SHA-2 family of algorithms (SHA224, SHA256, SHA384, SHA512).

  The OCSP responder can include the signature verification certificate with the response. Federation Manager then validates the certificate and the response signature with the trusted certificate in the certificate data store.

  If a signature verification certificate is not in the response, Federation Manager verifies the signature with the certificate or collection of certificates in the certificate data store.

  You configure OCSP in the Federation Manager UI and are required to specify the location of the certificate or the collection of certificates.

• Store the CA certificate that issued the user certificate in certificate data store. This CA certificate validates the user certificate.
• (Optional) Store the private key/certificate pair that Federation Manager uses to sign the OCSP request is in the certificate data store.