Previous Topic: Check Certificate Validity with CRLsNext Topic: Global Policies, Rules, and Responses


Check Certificate Validity with OCSP

Some features require certificate validation for certificates in the certificate data store. In 12.51, federation features use the certificate data store. These features include protecting the HTTP-Artifact back channel, verifying SAML messages, and encrypting SAML messages.

To check the validity of certificates, the certificate data store can use an OCSP service. OCSP uses an HTTP service that a Certificate Authority (CA) provides to supply certificate validation on demand.

Note: Federation features implement the use of OCSP differently than X.509 authentication schemes. The authentication schemes use an independent LDAP directory to store OCSP responder certificates. The authentication schemes do not use the certificate data store.

By default, the revocation status of a certificate in the certificate data store is not checked. To check the revocation status through an OCSP responder, use the OCSP updater utility (OCSPUpdater). When enabled, the OCSPUpdater checks the revocation status for configured OCSP responders every 5 minutes. This default frequency is configurable.

Configuration of the OCSPUpdater relies on the following components:

Failover Between OCSP and CRL Checking

The certificate data store supports failover from OCSP to CRL validation. If you configure CRLs and OCSP checking, you can enable failover between the two.

Federation features do not support certificate distribution point extensions with failover configured, even if the extensions are in a certificate.

More information:

Certificate Validity Checking for X.509 Client Certificate Authentication