Enabling OCSP validation
Online Certificate Status Protocol (OCSP) tests whether a certificate has been revoked since it was issued. You can enable OCSP validation to test the certificates used for IBM® MFA PIV/CAC or X.509 Certificate authentication. When OCSP validation is enabled, OCSP validation is performed as an additional security measure, after other certificate validation steps are performed. OCSP validation is attempted only for certificates that have passed the other validation steps.
Before you begin
- The direct issuing certificate in the chain (not necessarily the Root CA) for each certificate you want to check via OCSP.
- The root CA for each OCSP response you expect to receive. This is typically the same as the root CA for the certificate, but is not technically required to be the same.
About this task
- You embed (or they already exist) one or more OCSP responder URIs in the certificates to be used
for client authentication. The specific steps required to use this method are dependent on the
process and products you use to issue client certificates in your organization. You can use the openssl command to view the OCSP information for the certificate. For example:
openssl x509 -in your-cert.pem -text : Authority Information Access: OCSP - URI:http://some-url
- You can specify the responder URI in the Default Responder URI field. The Default Responder URI setting is used only if the certificate does not contain any responder URIs.
By default, IBM MFA assumes that the certificate is valid unless the responder URI returns an explicit revoked status. Any other status fails "open" and the certificate is accepted.
(A remote host refused an attempted connect operation.)
AZFCERT1:OCSP: Failed to init http session for
Responder URI: http://some-uri
AZFCERT1:OCSP: No embedded or default Responder URI; granting access
To enable OCSP validation, complete the following steps. You do not need to complete Steps 1-4 if the server truststore you created in Creating the server truststore satisfies all the requirements of the OCSP truststore.