Discuss this help topic in SecureBlackbox Forum
Use OCSP for certificate validation
Configuring OCSP client component if server requires authorization Three common methods of OCSP authorization are widely used: - via means provided by HTTP protocol (basic or NTLM authorization) - this is the most popular one; - via TLS certificate-based client authentication; - via OCSP certificate-based authentication. Each method requires different handling. In some extremely rare cases combinations of the above methods can be employed by a PKI infrastructure. 1. HTTP-based authorization. If your OCSP responder provided you with HTTP credentials (e.g. username and password), you should pass them to your TElHTTPSClient object: httpClient.RequestParameters.Username = "username"; httpClient.RequestParameters.Password = "password"; 2. TLS-based client certificate authentication. This type of authentication also needs to be configured on TElHTTPSClient level. Load the authentication certificate you've been provided with into a TElX509Certificate object (you can load it from file or access it via TElPKCS11CertStorage or TElWin32CertStorage). Note that the certificate must have an associated private key. Add the certificate to a TElMemoryCertStorage object (remember to pass true as CopyPrivateKey parameter) and assign the memory storage to TElHTTPSClient.ClientCertStorage property. 3. OCSP certificate-based authentication (signed OCSP request). Get your authentication certificate in TElMemoryCertStorage object as described for TLS-based authentication above. Yet, instead of attaching the storage to TElHTTPSClient object, assign it to your OCSP client's SigningCertStorage property. Besides, set the OCSP client's IncludeSignature property to true. Note: the signing certificate may or may not correspond to the certificate being checked. In the former case, you may re-use the same memory storage for CertStorage and SigningCertStorage properties, however, please make sure that the associated private key is available for the certificate.