Check Certificate Validity with OCSP

Policy Server Guides › Policy Server Configuration Guide › Key and Certificate Management › Check Certificate Validity with OCSP

Check Certificate Validity with OCSP

CA SiteMinder® provides features that require certificate validation for certificates in the certificate data store. In 12.52, federation features use the certificate data store. These features include protecting the HTTP-Artifact back channel, verifying SAML messages, and encrypting SAML messages.

To check the validity of certificates, the certificate data store can use an OCSP service. OCSP uses an HTTP service that a Certificate Authority (CA) provides to supply certificate validation on demand.

Note: Federation features implement the use of OCSP differently than CA SiteMinder® X.509 authentication schemes. The authentication schemes use an independent LDAP directory to store OCSP responder certificates. The authentication schemes do not use the certificate data store.

By default, CA SiteMinder® does not check the revocation status of a certificate in the certificate data store. To check the revocation status through an OCSP responder, use the OCSP updater utility (OCSPUpdater). When enabled, the OCSPUpdater checks the revocation status for configured OCSP responders every 5 minutes. This default frequency is configurable.

Configuration of the OCSPUpdater relies on the following components:

SMocsp.conf File
The OCSPUpdater uses the SMocsp.conf file for OCSP responder configuration. Each Certificate Authority (CA) that issues certificates has its own OCSP responder. In the SMocsp.conf file, include every OCSP responder for each CA certificate in the certificate data store.

An SMocsp.conf file must exist to use the OCSPUpdater.

Note: The SMocsp.conf file is the same file that the CA SiteMinder® X.509 certificate authentication scheme uses to configure its own OCSP implementation.
XPSConfig utility
XPSConfig lets you customize the behavior of the OCSPUpdater, such as enabling it and setting the frequency of updates. The customization is local to the Policy Server running the OCSPUpdater. Enable an OCSPUpdater on only one Policy Server in a CA SiteMinder® deployment.

Failover Between OCSP and CRL Checking

The certificate data store supports failover from OCSP to CRL validation. If you configure CRLs and OCSP checking, you can enable failover between the two.

CA SiteMinder® federation features do not support certificate distribution point extensions with failover configured, even if the extensions are in a certificate.

More information:

Certificate Validity Checking (optional)