Valve for validating X.509 certificates using OCSP. Operates on the Current Item Set.

OCSP result is added to a property on the current item and can have one of the following values:

  • GOOD


Name Description Default value Mandatory Supports property expansion
source Expression expanding to the certificate to validate. Yes Yes
dest Name of item property receiving the validation status. oscp_status No No
ocsp_use_nonce Flag indicating if nounce should be used. true No No
ocsp_use_signature Flag indicating if request should be signed. true No No
ocsp_signature_algorithm Name of algorithm to use for signing the request. SHA1withRSA No No
issuer_keystore_path Path to keystore containing issuer certificate. Yes No
issuer_keystore_password Issuer keystore password. No No
issuer_keystore_type Issuer keystore type. No No
issuer_keystore_alias Issuer keystore alias. No No
signer_keystore_path Path to keystore containing key/certificate for signing. Yes, if ocsp_use_signature is true No
signer_keystore_password Signer keystore password. No No
signer_keystore_type Signer keystore type. No No
signer_keystore_alias Signer keystore alias. No No

Example Configuration

  "name": "OCSPValidatorValve",
  "enabled": "true",
  "config": {
    "source": "{{item.cert}}",
    "issuer_keystore_path": "ssl/ocsp_issuer.p12",
    "issuer_keystore_password": "{enc}iLshlMBuAOrybFnFztw02GCgP385ptNkyNjMa7cu7Y0=",
    "issuer_keystore_type": "PKCS12",
    "issuer_keystore_alias": "1",
    "ocsp_use_nonce": "false",
    "ocsp_use_signature": "true",
    "ocsp_signature_algorithm": "SHA256withRSA",
    "signer_keystore_path": "ssl/ocsp_auth.p12",
    "signer_keystore_password": "{enc}iLshlMBuAOrybFnFztw02GCgP385ptNkyNjMa7JJ7Y0=",
    "signer_keystore_type": "PKCS12",
    "signer_keystore_alias": "1"