Discuss this help topic in SecureBlackbox Forum
Configure OCSP client for server authorization
Three most common methods of OCSP authorization are:
- through HTTP protocol (basic or NTLM authorization), the most popular method;
- using TLS certificate-based client authentication;
- via OCSP certificate-based authentication.
In rare occasion, a combination of the above methods can be employed by a PKI infrastructure.
Each method requires different handling.
-
HTTP-based authorization.
If your OCSP responder provided you with HTTP credentials (e.g., username and password), simply pass them to your TElHTTPSClient object:
httpClient.RequestParameters.Username = "username";
httpClient.RequestParameters.Password = "password";
-
TLS-based client certificate authentication.
This type of authentication also needs to be configured on the TElHTTPSClient level.
Load the authentication certificate you've been provided with into a TElX509Certificate object.
There are many ways to load your certificate, either from file or memory stream, or using TElPKCS11CertStorage or TElWin32CertStorage.
Different methods are described in the PKI basic how-to's.
Note, that the certificate must have an associated private key.
Once the certificate is loaded into TElMemoryCertStorage object (remember to pass true as the CopyPrivateKey parameter!), assign this storage your HTTPS client's ClientCertStorage property.
-
OCSP certificate-based authentication (signed OCSP request).
Load your authentication certificate into TElMemoryCertStorage object.
Instead of attaching the storage to your HTTPS client, assign it to your OCSP client's SigningCertStorage property.
Besides, set the IncludeSignature property to true.
Note, that signing certificate may or may not correspond to the certificate being checked.
If it doesn't, you may re-use the same memory storage for the CertStorage and SigningCertStorage properties.
However, please make sure that the associated private key is available for the certificate.
How To articles about OCSP
Discuss this help topic in SecureBlackbox Forum