OCSP certificate revocation checking
The Online Certificate Status Protocol (OCSP) Certificate Revocation Checking application definition field determines whether OCSP certificate revocation checking is done with AIA certificate extension information and if OCSP stapling is enabled or required.
- OCSP AIA checking is enabled.
- The certificate to be validated has an AIA extension with a PKIK_AD_OCSP access method that
contains a URI of the HTTP location of the OCSP responder.Note: The first OCSP responder that is identified in the AIA extension is queried for revocation status.
Enabling OCSP stapling on a client application causes the client to request OCSP stapling by sending the certificate status request extension as part of the client hello. Server applications with OCSP stapling enabled support the certificate status request extension and query the OCSP responder on behalf of the client when receiving the extension.
A client application can also indicate that they require OCSP stapling. This means that if the client does not receive a stapled OCSP response from the server and the server's certificate indicates that it must staple, then the client fails the secure connection.
The default value for the field is *PGM meaning the program that uses this "application ID" sets the attribute to the appropriate value. All System TLS attributes have an initial default value. For this attribute, the default value is disabled for both AIA checking and OCSP stapling. Programs can explicitly enable or disable OCSP AIA and OCSP stapling with gsk_attribute_set_enum().
If *PGM does not result in OCSP AIA validation and revocation checking is wanted, set this field to “Enable.” The internal setting is overridden and OCSP checking happens when AIA information is available.
If *PGM does not result in OCSP stapling and support is wanted, set this field to “Stapling.” The internal setting is overridden and OCSP stapling is requested by client applications and supported by server applications. Additionally, this enables OCSP AIA checking when AIA information is available on the certificate.
Setting this field to “Stapling Required” overrides the internal setting and enables OCSP AIA checking for client and server applications, enables OCSP stapling for client and server applications, and requires OCSP stapling for client applications.
If *PGM results in OCSP AIA validation or OCSP stapling, yet revocation checking is not wanted, set this field to “Disable.” Disabling OCSP weakens the security model for the application, so use due diligence before you make this choice.