Online certificate status protocol (OCSP)

Online certificate status protocol (OCSP) is a common schema that enterprises may use to maintain the security of a server and other network resources. If you have enabled certificate-based authentication in EAA, an OCSP responder can be used to validate certificates. Optionally, you can provide the URL of the OCSP responder that EAA uses to validate the certificate. If it is not provided, the identity provider picks it up from the certificate. OCSP can be configured two ways, depending on the type of server. There are two types of OCSP servers:
  • Internal: If the OCSP server is within the enterprise network and not reachable by public internet, it is internal. The OCSP responder deploys to an EAA connector where the service is reachable from.
  • External: If the OCSP server is reachable by the public internet, it is external. The OCSP responder does not deploy on an EAA connector. Instead, the EAA cloud makes a request to the OCSP server directly.

Create an online certificate status protocol (OCSP) responder

Create an OCSP responder on EAA and add it to an identity provider (IdP).

Before you begin

First, upload your certificates to Enterprise Application Access (EAA). For more information see Certificates in EAA.

Create an online certificate status protocol (OCSP) responder in EAA, and add it to an identity provider (IdP).

How to

  1. Log in to the Enterprise Application Access (EAA) Management Portal.
  2. From the top menu bar, click System > OCSP. The OCSP page appears.
  3. Click Add OCSP. The OCSP information page appears.
  4. Enter a unique name for the OCSP server.
  5. Select the OCSP server type.
    If internal, select an EAA connector where the service is reachable from.
  6. In the Validation URL field, enter the URL of the OCSP responder that EAA uses to validate the certificate.
  7. Click Save changes. The OCSP responder appears as a card on the OCSP page.

Next steps

Create and deploy a new IdP with OCSP as the certificate validation method. See Add a new identity provider . In the IdP General Settings section, check Certificate Validation, then select OCSP as the Certificate Validation Method.