server/WEB-INF/conf/trust.bml
This file specifies trust relationships between the Validation Responder and foreign certificates. It can be used to override the default settings from:
server/WEB-INF/conf/trust-defaults.bmlThere are two categories of trust that can be configured for the Validation Responder. For each category, configuration code like the following is used for every certificate that is to be trusted.
-
The object identifier in the <string> parameter specifies the type of trust to be configured.
-
The number in the depth parameter specifies the maximum length of the chain of certificates that can be used to link the certificate being tested to a trusted certificate.
-
The value of the certificatePEM parameter is the base-64 (PEM) encoded certificate to be trusted.
<add>
<string>1.3.6.1.5.5.7.3.9.1</string>
<bean class="com.corestreet.rtc.TrustedCertificate">
<property name="depth" value="2"/>
<property name="certificatePEM">
<string>
... put your PEM certificate here, not indented ...
</string>
</property>
</bean>
</add>SSL Client
-
SSL Client trust is specified by using the object identifier 1.3.6.1.5.5.7.3.2.
-
Configuring SSL Client trust restricts the set of client certificates that will be trusted when the Validation Responder receives OCSP requests via HTTPS. The SSL session will only be accepted if the client certificate is explicitly trusted or can be chained back to a trusted certificate with fewer than the depth certificates in the chain.
OCSP Request
-
OCSP Request trust is specified by using the object identifier 1.3.6.1.5.5.7.3.9.1.
-
Configuring OCSP Request trust restricts the set of relying parties that will be trusted when the Validation Responder receives digitally signed OCSP requests. The request will only be serviced if it is digitally signed and the signer’s certificate is explicitly trusted or can be chained back to a trusted certificate with fewer than the depth certificates in the chain.
-
If OCSP Request trust is configured, then unsigned OCSP requests will be rejected.
