The OCSP access control module allows you to restrict the access of OCSP service based on the following options:

  • Open access for everyone 
  • Using TLS client certificates to authenticate clients
  • Using OCSP request signing to authenticate clients
  • Using IP address checking to authenticate clients

The last three options above can be used simultaneously if required.

The following screen shows the configurations which can be made:

The configuration items are as follows:


Items

Description

Allow open access

If this option is enabled, it allows open access and all requests are accepted.

Allow access based on TLS client certificates

This option has two sub-filters:

  • Allow access only to the certificates issued by a CA registered in Trust Manager.
  • Allow/deny access to certificates issued by a CA registered in Trust Manager with defined key words such as common name, organisation etc. which must appear in the certificate. E.g. choose the option include following DN attributes and set Common Name = CA1, Organisation = Ascertia for the Issuer Certificate. This allows access to TLS client certificates to OCSP service having "CA1" as its common name and "Ascertia" as its organization. Requests coming for any other issuer certificate will be rejected.

Allow access based on requests being signed

This option is used when the OCSP request message is signed by the requestor (OCSP client).  It has two sub-filters:

  • Allow access only to the certificates issued by a CA registered in Trust Manager.
  • Allow/deny access to certificates issued by a CA registered in Trust Manager with defined key words such as common name, organisation etc. which must appear in the certificate. E.g., choose the option exclude following DN attributes and set Common Name = Alice, Organisation = Ascertia for subject certificate. This will deny access to OCSP service for OCSP requests signed with a cert having "Alice" as its common name and "Ascertia" as its organization. Requests coming for any other issuer certificate will be allowed.

Allow access based on IP addresses

This option allows you to include the list of IP addresses to allow or deny. Wildcards * can be used.

  • Allow Access Example: Choose the option Include IP address and enter IP address e.g. 192.168.1.1 to give OCSP service access to this IP address only.
  • Deny Access Example: Choose the option Exclude IP address and enter IP address e.g. 192.168.1.1 to deny OCSP service access to this IP address only.
  • Wildcard Example: Choose any option i.e. Exclude IP address or Include IP address and give IP address e.g. 192.168.*.* to deny/allow OCSP service access to any IP address falling in this IP range.


Choosing the option Allow access based on TLS Client Certificates or Allow access based on requests being signed and clicking + button will show the following screen where filtering can be performed based on Issuer or Subject DN Attributes:




Also, choosing the option Allow access based on IP addresses and clicking +d button will show the following screen where filtering can be performed based on IP Address:

Please note at least one include entry is must before an exclude entry can be made in all above cases. Also, it is necessary to restart OCSP service whenever any change is made in OCSP Service >> access control settings.

See also

Support for Multiple Trust Models

Multiple CA and Unique Certificate Validation Policies
Configuring the OCSP Service

General Policy Settings
Forwarding Modes
Access Control
Transactions Logs
Logs Archiving
Alerts
Advanced Settings
Optimising ADSS OCSP Server Performance
Operating OCSP Service in FIPS 201 Compliant Mode

OCSP Service Interface URLs