Discuss this help topic in SecureBlackbox Forum
Check certificate status with OCSP components
When using SecureBlackbox, normally there's no need to directly check certificate status against an OCSP endpoint. All work of this kind is delegated to TElX509CertificateValidator component which encapsulates all talks with CRL and OCSP services. However, if you need more granulated access to the certificate validation, it is possible to perform OCSP check by yourself.
To make a successful status request you need both the certificate that needs to be checked and its CA certificate. Presence of the CA certificate is mandatory because any OCSP request has to include specific parameters of the CA certificate. You also need to know the address of the OCSP responder (ocspAddress). This address can be retrieved from the Authority Information Access extension of the checked certificate (access method: OCSP, 1.3.6.1.5.5.7.48.1).
Typically you would use TElHTTPOCSPClient class to perform the check, because vast majority of OCSP responders are bound to HTTP endpoints.
TElHTTPOCSPClient ocspClient = new TElHTTPOCSPClient();
TElHTTPSClient httpClient = new TElHTTPSClient();
ocspClient.HTTPClient = httpClient;
Note: you will need to handle the TElHTTPSClient.OnCertificateValidate event if your OCSP endpoint is an HTTPS one.
ocspClient.URL = ocspAddress;
TElMemoryCertStorage checkedCerts = new TElMemoryCertStorage();
checkedCerts.Add(cert, false);
ocspClient.CertStorage = checkedCerts;
Note: in general, the OCSP standard allows you to check multiple certificates in one request. However, some servers only support single certificate requests.
TElMemoryCertStorage caCerts = new TElMemoryCertStorage();
caCerts.Add(cacert, false);
ocspClient.IssuerCertStorage = caCerts;
Note, there should be exactly one CA entry per one checked certificate.
TElOCSPServerError serverResult = SBOCSPCommon.Unit.oseInternalError;
byte[] reply = null;
int res = ocspClient.PerformRequest(ref serverResult, ref reply);