Discuss this help topic in SecureBlackbox Forum

Use OCSP for certificate validation

Configuring OCSP client component if server requires authorization Three common methods of OCSP authorization are widely used: - via means provided by HTTP protocol (basic or NTLM authorization) - this is the most popular one; - via TLS certificate-based client authentication; - via OCSP certificate-based authentication. Each method requires different handling. In some extremely rare cases combinations of the above methods can be employed by a PKI infrastructure. 1. HTTP-based authorization. If your OCSP responder provided you with HTTP credentials (e.g. username and password), you should pass them to your TElHTTPSClient object: httpClient.RequestParameters.Username = "username"; httpClient.RequestParameters.Password = "password"; 2. TLS-based client certificate authentication. This type of authentication also needs to be configured on TElHTTPSClient level. Load the authentication certificate you've been provided with into a TElX509Certificate object (you can load it from file or access it via TElPKCS11CertStorage or TElWin32CertStorage). Note that the certificate must have an associated private key. Add the certificate to a TElMemoryCertStorage object (remember to pass true as CopyPrivateKey parameter) and assign the memory storage to TElHTTPSClient.ClientCertStorage property. 3. OCSP certificate-based authentication (signed OCSP request). Get your authentication certificate in TElMemoryCertStorage object as described for TLS-based authentication above. Yet, instead of attaching the storage to TElHTTPSClient object, assign it to your OCSP client's SigningCertStorage property. Besides, set the OCSP client's IncludeSignature property to true. Note: the signing certificate may or may not correspond to the certificate being checked. In the former case, you may re-use the same memory storage for CertStorage and SigningCertStorage properties, however, please make sure that the associated private key is available for the certificate.

Discuss this help topic in SecureBlackbox Forum