Discuss this help topic in SecureBlackbox Forum
Use OCSP for certificate validation
Setting up an OCSP server Note: OCSP server components included in SecureBlackbox only implement OCSP functionality and require external HTTP(S) server components for HTTP request processing. Functionality offered by HTTPBlackbox, as well as any other compatible HTTP implementation allowing to pass dedicated OCSP requests for external handling, will do. Implementing the OCSP responder requires a preparatory stage with is dedicated to preparation and setup of the HTTP server. Your server should be capable of handling POST requests with 'application/ocsp-request' content type and forwarding them to the request handler, receiving a result from the handler and sending them back in HTTP response with 'application/ocsp-response' content type. Implementing the OCSP request handler involves the steps given below. It expects a properly formed OCSP request on input (received from the HTTP server), and returns the corresponding OCSP response. 1. Create a TElOCSPServer object: TElOCSPServer ocspServer = new TElOCSPServer(); 2. Each OCSP responder must have its signing certificate, which should be either the CA certificate itself, or an independent certificate duly authorized by the CA for OCSP signing (by including properly adjusted key usage and extended key usage extension). Load the certificate (and, optionally, the rest of its chain) into a TElMemoryCertStorage object and assign the storage object to the SigningCertStorage property of the server. The OCSP signing certificate must include the associated private key. It may be non-exportable, e.g. if it is located on a hardware device. TElMemoryCertStorage signingCerts = new TElMemoryCertStorage(); signingCerts.Add(signingCert, true); signingCerts.Add(caCert, true); ocspServer.SigningCertStorage = signingCerts; 3. Tune-up the server: ocspServer.IncludeCertificates = true; ocspServer.ResponderIdType = TElResponderIDType.ritName; 4. Handle the OnCertificateCheck event and implement the handler as per your certificate checking logic: void handleCertificateCheck(object sender, byte[] hashAlgOID, byte[] issuerNameHash, byte[] issuerKeyHash, byte[] certificateSerial, ref TElOCSPCertificateStatus certStatus, ref TSBCRLReasonFlag reasonFlag, ref DateTime revocationTime, ref DateTime thisUpdate, ref DateTime nextUpdate) { // You are expected to check your database for up-to-date status of the requested certificate. // The certificate in question is identified by its serial number, which is unique. // Having established the status, you need to adjust the values of certStatus, reasonFlag and revocationTime accordingly. // Independently of whether the certificate is revoked or not, set thisUpdate to the time of the last certificate status update in the database, and nextUpdate to the time when the next update is expected. } 5. Set ProducedAt to reflect the current time: ocspServer.ProducedAt = DateTime.UtcNow; 6. Call ProcessRequest(), passing the request you got from the HTTP server as Request parameter. Get the response to the by-ref Reply parameter: ocspServer.ProcessRequest(request, ref reply); Note: as you can see from the above, you will need to use a dedicated TElOCSPServer object for every incoming request. For small environments, you might be fine with creating individual TElOCSPServer object for every new request; you might also need to use some sort of object pooling for more heavily loaded environments.