Enabling OCSP validation
Online Certificate Status Protocol (OCSP) tests whether a certificate has been revoked since it was issued. You can enable OCSP validation to test the certificates used for IBM® MFA PIV/CAC or X.509 Certificate authentication. When OCSP validation is enabled, OCSP validation is performed as an additional security measure, after other certificate validation steps are performed. OCSP validation is attempted only for certificates that have passed the other validation steps.
Before you begin
- The direct issuing certificate in the chain (not necessarily the Root CA) for each certificate you want to check via OCSP.
- The root CA for each OCSP response you expect to receive. This is typically the same as the root CA for the certificate, but is not technically required to be the same.
About this task
- You embed (or they already exist) one or more OCSP responder URIs in the certificates to be used
for client authentication. The specific steps required to use this method are dependent on the
process and products you use to issue client certificates in your organization. You can use the openssl command to view the OCSP information for the certificate. For example:
openssl x509 -in your-cert.pem -text : Authority Information Access: OCSP - URI:http://some-url
- You can specify the responder URI in the Default Responder URI field. The Default Responder URI setting is used only if the certificate does not contain any responder URIs.
By default, IBM MFA assumes that the certificate is valid unless the responder URI returns an explicit revoked status. Any other status fails "open" and the certificate is accepted.
(A remote host refused an attempted connect operation.) AZFCERT1:OCSP: Failed to init http session for Responder URI: http://some-uri
AZFCERT1:OCSP: No embedded or default Responder URI; granting access
To enable OCSP validation, complete the following steps. You do not need to complete Steps 1-4 if the server truststore you created in Creating the server truststore satisfies all the requirements of the OCSP truststore.
- Obtain the certificate chain of the user's certificate. The procedure to obtain the certificate chain of the user's certificate varies by the vendor and application.
If the certificates are not already in the PEM format, convert them. For example, if the
certificates are currently in the Distinguished Encoding Rules (DER) format, you can use the
openssl x509 command to convert them. The following example converts one
intermediary certificate and the root CA certificate.
openssl x509 -in inter_key.cer -inform der -outform pem -out inter_key.pem openssl x509 -in ca_key.cer -inform der -outform pem -out ca_key.pem
Concatenate the certificate .pem files into a single file.
cat inter_key.pem > ocspTrustStore.pem cat ca_key.pem >> ocspTrustStore.pem
- If needed, use the secure copy (scp) command to copy the resulting file to the IBM MFA server system.
- Specify the location of the file in the Trust Store Path field of the PIV/CAC or X.509 Certificate configuration.
- Restart the IBM MFA server, as described in Restarting the IBM MFA server.