Valve for validating X.509 certificates using OCSP. Operates on the current item set.

OCSP result is added to a property on the current item and can have one of the following values:

  • GOOD


Name Description Default value Mandatory Supports property expansion
source Expression expanding to the certificate to validate Yes Yes
dest Name of item property receiving the validation status "oscp_status" No No
ocsp_use_nonce Flag indicating if nounce should be used "true" No No
ocsp_use_signature Flag indicating if request should be signd "true" No No
ocsp_signature_algorithm Name of algorithm to use for signing the request "SHA1withRSA" No No
issuer_keystore_path Path to keystore containing issuer certificate Yes No
issuer_keystore_password Issuer keystore password No No
issuer_keystore_type Issuer keystore type No No
issuer_keystore_alias Issuer keystore alias No No
signer_keystore_path Path to keystore containing key/certificate for signing Yes, if ocsp_use_signature is true No
signer_keystore_password Signer keystore password No No
signer_keystore_type Signer keystore type No No
signer_keystore_alias Signer keystore alias No No

Example Configuration

  "name": "OCSPValidatorValve",
  "enabled": "true",
  "config": {
    "source": "{{item.cert}}",
    "issuer_keystore_path": "ssl/ocsp_issuer.p12",
    "issuer_keystore_password": "***",
    "issuer_keystore_type": "PKCS12",
    "issuer_keystore_alias": "1",
    "ocsp_use_nonce": "false",
    "ocsp_use_signature": "true",
    "ocsp_signature_algorithm": "SHA256withRSA",
    "signer_keystore_path": "ssl/ocsp_auth.p12",
    "signer_keystore_password": "***",
    "signer_keystore_type": "PKCS12",
    "signer_keystore_alias": "1"