Enabling OCSP validation

Online Certificate Status Protocol (OCSP) tests whether a certificate has been revoked since it was issued. You can enable OCSP validation to test the certificates used for IBM® MFA PIV/CAC or X.509 Certificate authentication. When OCSP validation is enabled, OCSP validation is performed as an additional security measure, after other certificate validation steps are performed. OCSP validation is attempted only for certificates that have passed the other validation steps.

Before you begin

If you want to use OCSP validation, you must create the OCSP truststore in Privacy Enhanced Mail (PEM) format. The certificates in the OCSP truststore must be a single-file concatenation of:
  • The direct issuing certificate in the chain (not necessarily the Root CA) for each certificate you want to check via OCSP.
  • The root CA for each OCSP response you expect to receive. This is typically the same as the root CA for the certificate, but is not technically required to be the same.
Important: You may find that the server truststore you created in Creating the server truststore satisfies all the requirements of the OCSP truststore. In this case, you can simply specify the location of the server truststore as the location of the OCSP truststore.

About this task

The responder URI provides timely information regarding the revocation status of certificates. There are two ways to specify which responder URI to use:
  • You embed (or they already exist) one or more OCSP responder URIs in the certificates to be used for client authentication. The specific steps required to use this method are dependent on the process and products you use to issue client certificates in your organization.
    You can use the openssl command to view the OCSP information for the certificate. For example:
    openssl x509 -in your-cert.pem -text
    :
    Authority Information Access:
              OCSP - URI:http://some-url
  • You can specify the responder URI in the Default Responder URI field. The Default Responder URI setting is used only if the certificate does not contain any responder URIs.
Handling the OCSP response

By default, IBM MFA assumes that the certificate is valid unless the responder URI returns an explicit revoked status. Any other status fails "open" and the certificate is accepted.

Important: You can change the default fail open status by enabling the Deny Access on Any OCSP Error control. You should not enable this control unless you are aware of the possible reasons for OCSP errors and accept the ramifications of denying access based on these errors.
For example, if the IBM MFA server does not have network connectivity to the responder URI, the default status fails "open" and the certificate is accepted. If you set an elevated trace level, the following message is printed to the IBM MFA server log file:

(A remote host refused an attempted connect operation.)
AZFCERT1:OCSP: Failed to init http session for 
    Responder URI: http://some-uri
As another example, if OCSP is enabled, but the certificate does not contain one or more responder URIs and if you have not configured a default responder URI, by default the certificate is accepted. If you set an elevated trace level, the following message is printed to the IBM MFA server log file:
AZFCERT1:OCSP: No embedded or default Responder URI; granting access
Enabling OCSP validation

To enable OCSP validation, complete the following steps. You do not need to complete Steps 1-4 if the server truststore you created in Creating the server truststore satisfies all the requirements of the OCSP truststore.

Procedure

  1. Obtain the certificate chain of the user's certificate. The procedure to obtain the certificate chain of the user's certificate varies by the vendor and application.
  2. If the certificates are not already in the PEM format, convert them. For example, if the certificates are currently in the Distinguished Encoding Rules (DER) format, you can use the openssl x509 command to convert them. The following example converts one intermediary certificate and the root CA certificate.
    openssl x509 -in inter_key.cer -inform der -outform pem -out inter_key.pem
    openssl x509 -in ca_key.cer -inform der -outform pem -out ca_key.pem
  3. Concatenate the certificate .pem files into a single file.
    cat inter_key.pem > ocspTrustStore.pem
    cat ca_key.pem >> ocspTrustStore.pem
  4. If needed, use the secure copy (scp) command to copy the resulting file to the IBM MFA server system.
  5. Specify the location of the file in the Trust Store Path field of the PIV/CAC or X.509 Certificate configuration.
  6. Restart the IBM MFA server, as described in Restarting the IBM MFA server.