This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Does Apigee supports OCSP/CRL?

Posted on 06-19-2018 02:35 AM
nsaini
New Member
Reply posted on --/--/---- --:-- AM

Hi

Can anybody confirm whether Apigee supports OCSP/CRL? Got to know that its not supported by Apigee. However, I could see OCSP setting in virtual host. We need it for open banking implementation.

TIA

2 5 1,023
Topic Labels
5 REPLIES 5

Posted on --/--/---- --:-- AM
sidd-harth
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi @NSaini1, I am not sure of earlier versions but as per docs, in Edge for Private Cloud release 4.18.01, OCSP stapling is supported for virtual hosts.

https://docs.apigee.com/release/notes/sneak-preview-edge-private-cloud-release-41801

Virtual hosts now support OCSP stapling for one-way and two-way TLS. When enabled, an OCSP (Online Certificate Status Protocol) client sends a status request to an OCSP responder to determine if the certificate is valid. The response indicates if the certificate is valid and not revoked.

By default OCSP stapling is off. TLS must be enabled on the virtual host to enable OCSP.

Posted on --/--/---- --:-- AM
nsaini
New Member
In response to sidd-harth
Reply posted on --/--/---- --:-- AM

Yes I checked that. Thanks @Siddharth Barahalikar. Just wanted to confirm before using it as there is not much detail given about this,


Hi @Dino-at-Google @NICOLA Can you guys help here

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to nsaini
Reply posted on --/--/---- --:-- AM

yes, as documented.

OSCP is supported in the vhost.

0 Likes

Posted on --/--/---- --:-- AM
nsaini
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi Dino

Just wanted to understand more on this. What certificate directory is being used for CRL/OCSP in apigee if i enable this in vhost. Not much detail is provided in documentation.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to nsaini
Reply posted on --/--/---- --:-- AM

The "directory of certs" is managed by each OCSP responder. OCSP uses the OCSP Responder that is configured on the certificate. Here's more information on OCSP Stapling.

https://en.wikipedia.org/wiki/OCSP_stapling

https://security.stackexchange.com/questions/29686/how-does-ocsp-stapling-work

Some key points

  • the cert itself provides a URL at which the SERVER can retrieve an OCSP response. This URL will be different for each CA.
  • The OCSP response is signed. Therefore it does not matter how the client receives it. It does not break integrity for the server to check for its own cert revocation and return the OCSP response to the client. The client can rely on the response even though it is the server that is passing the response to the client, because the response is signed.
0 Likes