-
Notifications
You must be signed in to change notification settings - Fork 397
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add cert revocation improvement docs
- Loading branch information
Showing
1 changed file
with
43 additions
and
0 deletions.
There are no files selected for viewing
43 changes: 43 additions & 0 deletions
43
...tall-and-setup/setup/advance-configurations/configure-certificate-revocation.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| # Verifying Certificate Revocation | ||
|
|
||
| The default HTTPS transport listener (Secured Pass-Through) can verify with the certificate authority whether a certificate is still trusted before it completes an SSL connection. If the certificate authority has revoked the certificate, a connection will not be completed. | ||
|
|
||
| When this feature is enabled, the transport listener verifies client | ||
| certificates when a client tries to make an HTTPS connection with the server. Therefore, the client needs to send it's public certificate along with the requests to the server. | ||
|
|
||
| When this feature is enabled, the server attempts to | ||
| use the Online Certificate Status Protocol (OCSP) to verify with the | ||
| certificate authority at the handshake phase of the SSL protocol. If the | ||
| OCSP is not supported by the certificate authority, the server uses Certified Revocation Lists (CRL) instead. The verification | ||
| process checks all the certificates in a certificate chain. | ||
|
|
||
| To enable this feature for the HTTP Pass-Through, add the following parameters in the deployment.toml file. and set ```enable``` as ```true```. | ||
| This will add these parameters to the Passthrough HTTP Multi SSL Listener in axis2.xml file. | ||
| Other configurations can be changed according to the requirement. The default configurations are mentioned below. | ||
|
|
||
| ```toml | ||
| [transport.passthru_https.listener.cert_revocation_validation] | ||
| enable = false | ||
| cache_size = 1024 | ||
| cache_delay = 1000 | ||
| allow_full_cert_chain_validation = true | ||
| allow_cert_expiry_validation = false | ||
| ``` | ||
|
|
||
| When ```allow_full_cert_chain_validation``` is ```true``` it is required to send the complete certificate chain in the request. | ||
| The ```allow_cert_expiry_validation``` can be set to ```true``` if the certificate expiry validation is required. | ||
|
|
||
| When ```allow_full_cert_chain_validation``` is ```false``` a single client certificate is expected in the request and the revocation validation will be done for that certificate. For this to happen it is required to add the immediate issuer of the client certificate in the server's trust store. | ||
| Same as above, the ```allow_cert_expiry_validation``` can be set to ```true``` if the certificate expiry validation is required. | ||
|
|
||
| When custom listener profiles are added, following configuration can be used to configure the custom listenerprofiles.xml file. | ||
|
|
||
| ``` | ||
| <CertificateRevocationVerifier> | ||
| <Enable>true</Enable> | ||
| <CacheSize>1024</CacheSize> | ||
| <CacheDelay>1000</CacheDelay> | ||
| <FullChainValidation>false</FullChainValidation> | ||
| <ExpiryValidation>true</ExpiryValidation> | ||
| </CertificateRevocationVerifier> | ||
| ``` |