Discuss this help topic in SecureBlackbox Forum
Use OCSP for certificate validation
Checking certificate status with OCSP components You will rarely need to check certificate status against an OCSP endpoint by yourself (all work of this kind is normally delegated to TElX509CertificateValidator component, which encapsulates all talks with CRL and OCSP services), but just in case we are providing guidance on how that should be done should you need more granulated access to the validation. To make a successful status request, you will need the certificate being checked itself and its CA certificate. The presence of the CA certificate is required as any OCSP request needs to include some parameters from that certificate. You also need to know the address of the OCSP responder (ocspAddress). This can be retrieved from the Authority Information Access extension of the checked certificate (access method: OCSP, 1.3.6.1.5.5.7.48.1). In most cases, you will use the TElHTTPOCSPClient class (SBHTTPOCSPClient), as the vast majority of the OCSP responders are bound to HTTP endpoints. 1. Create a TElHTTPOCSPClient object: TElHTTPOCSPClient ocspClient = new TElHTTPOCSPClient(); 2. Create an HTTP(S) transport and attach it to your OCSP client: TElHTTPSClient httpClient = new TElHTTPSClient(); ocspClient.HTTPClient = httpClient; Note: you will need to handle the TElHTTPSClient.OnCertificateValidate event if your OCSP endpoint is an HTTPS one. 3. Set the URL: ocspClient.URL = ocspAddress; 4. Put the checked certificate(s) to a TElMemoryCertStorage object and assign it to the CertStorage property of the client. No private keys are needed. TElMemoryCertStorage checkedCerts = new TElMemoryCertStorage(); checkedCerts.Add(cert, false); ocspClient.CertStorage = checkedCerts; Note: while the OCSP standard allows you to check multiple certificates in one request, some servers only support single-certificate requests. 5. Put the issuing certificate(s) of the checked certificate(s) to another TElMemoryCertStorage and assign it to the IssuerCertStorage property: TElMemoryCertStorage caCerts = new TElMemoryCertStorage(); caCerts.Add(cacert, false); ocspClient.IssuerCertStorage = caCerts; Note that there should be exactly one CA entry per one checked certificate. 6. Call OCSP client's PerformRequest() method: TElOCSPServerError serverResult = SBOCSPCommon.Unit.oseInternalError; byte[] reply = null; int res = ocspClient.PerformRequest(ref serverResult, ref reply); 7. If the request was successful, the returned value (res) will be zero, the serverResult will contain the status as returned by the OCSP server, and the reply will contain the OCSP response in binary form. You can load that response into TElOCSPResponse object for further handling or add it to a higher-level object (e.g. signature). A TElOCSPResponse object is automatically created by the OCSP client upon successful execution of the request and can be accessed via OCSP client's Response property. Further details about the response (such as production time or nonce) can be also obtained via the OCSP client object's properties.