TElX509CertificateValidator uses so-called CRL and OCSP retriever classes to download revocation information for X.509 certificates been validated. SecureBlackbox includes the following retrievers:
- TElHTTPCRLRetriever – downloads certificate revocation lists (CRLs) via HTTP(s) protocol.
- TElLDAPCRLRetriever – downloads CRLs via LDAP protocol.
- TElHTTPOCSPClient – performs OCSP requests via HTTP(S) protocol. In fact, the class is not a retriever. However it may need some additional configuration before usage in validation scenarios.
Additionally SecureBlackbox includes TElHTTPCertificateRetriever – the class that downloads missing CA certificates, needed for validation of the particular certificate, via HTTP(S) protocol. Location of the missing CA certificate is taken from the certificate extension of the certificate being validated.
Usually retriever classes work as expected out of the box. However, they may need additional configuration in cases when revocation information is downloaded via HTTPS or when connection should be established via the proxy server.
As retriever classes are used internally by TElX509CertificateValidator, this class includes the following events where you can perform additional configuration:
- OnBeforeCRLRetriverUse is fired before a CRL retriever is used. You can check retriever instance type by checking its Retriever parameter. The parameter may contain an instance of TElHTTPCRLRetriever or TElLDAPCRLRetriever class.
- OnBeforeOCSPClientUse is fired before OCSL client is used. Internal TElHTTPOCSPClient instance is passed to the event handler via its OCSPClient parameter.
- OnBeforeCertificateRetrieverUse is fired before certificate retriever is used. Retriever instance is passed to the event handler via Retriever parameter. This instance may be of TElHTTPCertificateRetriever type.
When you get the instance of the retriever class inside above mentioned events handlers, you can configure it in the following way:
- For HTTP(S) based retrievers you can get an instance of the underlying TElHTTPSClient object using retriever’s HTTPClient property. Then you can use its WebTunnel* or HTTPProxy* properties to configure a proxy.
- For LDAP based retrievers you can access an underlying instance of TElLDAPSClient using LDAPSClient property and use its WebTunnel* or HTTPProxy* properties to configure a proxy.
- TElLDAPCRLRetriever includes ServerList property that may be used to set additional LDAP servers list that are used to download CRLs that are referenced via absolute URLs in a certificate extensions.