Configure Online Certificate Status Protocol Checking

Configuration Guides › Policy Server Configuration Guide › Authentication Schemes › Certificate Mapping for X.509 Client Authentication Schemes › Confirm the Validity of Certificates › Configure Online Certificate Status Protocol Checking

Configure Online Certificate Status Protocol Checking

Configure OCSP checking to ensure that a user with an invalid client certificate cannot access a protected resource.

The Policy Server uses a file to implement OCSP checking. This file, named smocsp.conf, contains a series of attributes that define the operation of one or more OCSPResponders. the smocsp.conf file resides in the config directory under the directory where you installed the Policy Server.

The smocsp.conf file must be an ASCII file containing one or more OCSPResponder records, each with the following format:

[
OCSPResponder
IssuerDN <IssuerDN>
[AlternateIssuerDN <IssuerDN>]
CACertDir <Name of User Dir containing CA cert>
CACertEP <Entry point in CACertDir containing CA cert>
ResponderCertDir <Name of User Dir containing Responder cert>
ResponderCertEP <Entry point in ResponderCertDir containing Responder cert>
ResponderCertAttr <Directory attribute of Responder cert>
ResponderLocation <Server-name of Responder:port #>
AIAExtension<YES|NO>

Consider the following when creating the smocsp.conf file:

Each OCSPResponder record must start with the tag name OCSPResponder.
Attribute names are not case sensitive.
The user directory is the name of the user directory connection in the Administrative UI, not the IP address of the physical directory.
The existence of a value for IssuerDN indicates the existence of an OCSP Responder record|object.
CACertDir and ResponderCertDir directories should exist as user directories in the Policy Server database.
All attributes except for AIAExtension and ResponderLocation are required.
Note: ResponderLocation should exist or AIAExtension should be YES.
AIAExtension is defaulted to NO.

The following table shows how pAIAExtension and ResponderLocation attributes work together:

If	Then
AIAExtension is YES	The AIAExtension is used for validations, if it is found in the certificate. Otherwise, the ResponderLocation is used.
AIAExtension is NO	The ResponderLocation is used, regardless of the value of AIAExtension in the userCertificate in the request.

To configure OCSP certificate status checking

Disable CRL checking for certificate mapping.
Create an smocsp.conf file in the Policy Server config directory, policy_server_installation_dir/config.

The following is an example of a smocsp.conf file:

[
OCSPResponder IssuerDN C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD CLASS 3 CA-9 
CACertDir localhost:389 
CACertEP cn=DOD CLASS 3 CA-9,ou=PKI,ou=DoD,o=U.S. Government,c=US  ResponderCertDir localhost:389 
ResponderCertEP cn=OCSP,ou=PKI,ou=DoD,o=U.S. Government,c=US ResponderCertAttr cacertificate 
ResponderLocation aristotle.jfcom.mil:80 
]

More information:

Configure Certificate Revocation List Checking

Email CA Technologies about this topic