Configuring OCSP-CRL Certificate Revocation Checking

To configure a Solace PubSub+ message broker to use a certificate authority (CA) with a combination of OCSP-CRL certificate revocation checking, complete the following steps:

Step 1: Review Prerequisites

To successfully use CA certificates with certificate revocation checking, the following configurations are required on a Solace PubSub+ message broker:

Step 2: Configure Certificate Authorities

To configure a CA, see Configuring Certificate Authorities.

Step 3: Configure OCSP and CRL Parameters

When using OCSP-CRL certificate revocation checking, you can configure optional CRL and OCSP parameters.

Step 4: Enable CA Revocation Checking

For the message broker to successfully use the CA, enable the revocation checking:

solace(configure/authentication/certificate-authority/revocation-check)# no shutdown

Step 5: Configure Message VPN Overrides

You can optionally configure revocation overrides for specific Message VPNs, based on the revocation status of the client certificates.

To configure the revocation checking overrides, see Configuring Message VPN Overrides.

Step 6: Enable OCSP-CRL Certificate Revocation Checking

Once CA and CRL configurations are completed, certificate revocation checking can be enabled for the message broker.

  1. Enable OCSP-CRL certificate revocation checking for the message broker:

    solace(configure)# authentication
    solace(configure/authentication)# client-certificate-revocation-checking ocsp-crl

  2. Verify if the OCSP-CRL certificate revocation checking has been enabled:

    solace (configure/authentication)# show authentication