Discuss this help topic in SecureBlackbox Forum

Use OCSP for certificate validation

OCSP (Online Certificate Status Protocol) is a real-time way to check the state of the certificate, i.e. verify that the certificate has not been revoked.

SecureBlackbox offers TElOCSPClient and TElCustomOCSPServer classes for OCSP implementation.

Only the certificate, whose issuer (CA) certificate is also available, can be checked using OCSP.

To find out the location of the OCSP server, which can report the certificate status, you need to take the issuer (CA) certificate, and read it's AuthorityInformationAccess extension. With TElX509Certificate class, the extension class name is TElAuthorityInformationAccessExtension. This class has AccessDescriptions[] property, which contains one or more access descriptors (TElAccessDescription class). You need to use the description, whose AccessMethod property is set to id-ad-ocsp (OID Then use AccessLocation property to read the URL of the OCSP server. See RFC 3280 for more information about this extension.

The steps to create a request on the client, handle the request and create the reply on the server, and handle the reply on the client, are described in the corresponding how-to articles.

How To articles about OCSP

Discuss this help topic in SecureBlackbox Forum