This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Configuring Certificate Revocation Validation

Owned by Former user (Deleted)
Last updated: Oct 19, 2018
7 min read

A certificate that is issued by a Certificate Authority (CA) is expected to be in use for its entire validity period. However, certain circumstances may cause a certificate to become invalid prior to the expiration of the validity period, e.g., a compromise or suspected compromise of the corresponding private key. Under such circumstances, the issuing CA needs to revoke the certificate prior to the scheduled expiry date so that the certificate would longer be trusted.

Certificate Revocation List (CRL) and OCSP (Online Certificate Status Protocol) are two protocols that are used to check whether a given X509 certificate is revoked by its issuer. 

  • CRL is a list of digital certificates that have been revoked by the issuing CA.
  • OCSP is an internet protocol that is used for obtaining the revocation status of an X509 digital certificate using the certificate serial number.

WSO2 X509 authenticator, which perms client X509 certificate authentication supports certificate validation with CRL and OCSP. At the verification phase of the SSL handshake, OSCP/CRL certificate verification process is used to contact the relevant CA to verify the validity of the given certificate. If the response states that the certificate is revoked, it indicates that the certificate is no longer trusted by the CA, i.e., the SSL connection to the peer is terminated.

To learn about configuring the X509 certificate authenticator, see Configuring X509Certificate Authenticator.

Explore the following sections below to configure CRL and OCCP for certificate validation. 

Before you begin

Locate the <IS_HOME>/repository/conf/security/certificate-validation.xml file and open in a text editor.

Example:

<?xml version="1.0" encoding="ISO-8859-1"?>
 <CertificateValidation xmlns="http://wso2.org/projects/carbon/certificate-validation.xml">
 <Validators>
 <Validator name="org.wso2.carbon.identity.x509Certificate.validation.validator.CRLValidator" displayName="CRLValidator" enable="true">
                 <Parameter name="priority">1</Parameter>
                 <Parameter name="fullChainValidation">true</Parameter>
                 <Parameter name="retryCount">2</Parameter>
	</Validator>
	<Validator name="org.wso2.carbon.identity.x509Certificate.validation.validator.OCSPValidator" displayName="OCSPValidator" enable="true">
                 <Parameter name="priority">2</Parameter>
                 <Parameter name="fullChainValidation">true</Parameter>
                 <Parameter name="retryCount">1</Parameter>
	</Validator>
</Validators> 
</CertificateValidation>