Configuring OCSP-CRL Certificate Revocation Checking

To configure a Solace PubSub+ event broker to use a certificate authority (CA) with a combination of OCSP-CRL certificate revocation checking, complete the following steps:

• Step 1: Review Prerequisites
• Step 2: Configure Certificate Authorities
• Step 3: Configure OCSP and CRL Parameters
• Step 4: Enable CA Revocation Checking
• Step 5: Configure Message VPN Overrides
• Step 6: Enable OCSP-CRL Certificate Revocation Checking

Step 1: Review Prerequisites

To successfully use CA certificates with certificate revocation checking, the following configurations are required on a Solace PubSub+ event broker:

• TLS/SSL service must be configured and enabled. This requires configuring a server certificate and enabling the TLS service. See TLS / SSL Service Configuration.
• Client certificate authentication must be configured and enabled for any Message VPNs that the clients will connect to. See Configuring Client Certificate Parameters for Message VPNs.

Step 2: Configure Certificate Authorities

To configure a CA, see Configuring the Client Authentication Certificate Authorities List.

Step 3: Configure OCSP and CRL Parameters

When using OCSP-CRL certificate revocation checking, you can configure optional CRL and OCSP parameters.

• To configure OCSP parameters, see Configuring OCSP Certificate Revocation Checking
• To configure CRL parameters, see Step 3: Configure CRL Parameters.

Step 4: Enable CA Revocation Checking

For the event broker to successfully use the CA, enable the revocation checking:

solace(configure/authentication/client-certificate-authority/revocation-check)# no shutdown

Step 5: Configure Message VPN Overrides

You can optionally configure revocation overrides for specific Message VPNs, based on the revocation status of the client certificates.

To configure the revocation checking overrides, see Configuring Message VPN Overrides.

Step 6: Enable OCSP-CRL Certificate Revocation Checking

Once CA and CRL configurations are completed, certificate revocation checking can be enabled for the event broker.

1. Enable OCSP-CRL certificate revocation checking for the event broker:

   solace(configure)# authentication
   solace(configure/authentication)# client-certificate-revocation-checking ocsp-crl

2. Verify if the OCSP-CRL certificate revocation checking has been enabled:

   solace (configure/authentication)# show authentication

   Example:

   CLI and SEMP user class:
       radius-domain:
       auth-type: Internal database authentication
       profile-name:
   
   Replace Duplicate Client Connections:   yes
   Client Certificate Revocation Checking: ocsp-crl
   
   Shell Users                                            Direct shell login enabled
   =====================================================  ==========================
   support                                                                       Yes