Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cert revocation improvement docs #7726

Merged
merged 3 commits into from
Mar 8, 2024
Merged

Add cert revocation improvement docs #7726

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7751421
Add cert revocation improvement docs
Akila94 Mar 4, 2024
d0a803d
Fix PR comments
Akila94 Mar 7, 2024
a14b168
Fix PR comments
Akila94 Mar 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions ...tall-and-setup/setup/advance-configurations/configure-certificate-revocation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# Verifying Certificate Revocation

The default HTTPS transport listener (Secured Pass-Through) can verify with the certificate authority whether a certificate is still trusted before it completes an SSL connection. If the certificate authority has revoked the certificate, a connection will not be completed.

When this feature is enabled, the transport listener verifies client
certificates when a client tries to make an HTTPS connection with the server. Therefore, the client needs to send its public certificate along with the requests to the server.

After this feature is enabled, the server attempts to
use the Online Certificate Status Protocol (OCSP) to verify with the
certificate authority at the handshake phase of the SSL protocol. If the
OCSP is not supported by the certificate authority, the server uses Certified Revocation Lists (CRL) instead. The verification
process checks all the certificates in a certificate chain.

To enable this feature for the HTTP Pass-Through, add the following parameters in the ```<WSO2_APIM_HOME>/repository/conf/deployment.toml``` file. and set ```enable``` as ```true```.
This will add these parameters to the Passthrough HTTP Multi SSL Listener in ```<WSO2_APIM_HOME>/repository/conf/axis2/axis2.xml``` file.
Other configurations can be changed according to the requirement. The default configurations are mentioned below.

```toml
[transport.passthru_https.listener.cert_revocation_validation]
enable = false
cache_size = 1024
cache_delay = 1000
allow_full_cert_chain_validation = true
allow_cert_expiry_validation = false
```

When ```allow_full_cert_chain_validation``` is set to ```true``` it is required to send the complete certificate chain in the request.
The ```allow_cert_expiry_validation``` can be set to ```true``` if the certificate expiry validation is required.

If the ```allow_full_cert_chain_validation``` is set to ```false``` a single client certificate is expected in the request and the revocation validation will be done for that certificate. For this to happen it is required to add the immediate issuer of the client certificate in the server's trust store.
Same as above, the ```allow_cert_expiry_validation``` can be set to ```true``` if the certificate expiry validation is required.

In the instances of custom listener profiles are added, following configuration can be used to configure the custom ```<WSO2_APIM_HOME>/repository/resources/security/listenerprofiles.xml``` file.

```
<CertificateRevocationVerifier>
<Enable>true</Enable>
<CacheSize>1024</CacheSize>
<CacheDelay>1000</CacheDelay>
<FullChainValidation>false</FullChainValidation>
<ExpiryValidation>true</ExpiryValidation>
</CertificateRevocationVerifier>
```