VA delegated trust model

When using the VA delegated trust model with Axway Validation Authority, the signing certificate is the OCSP signing certificate of the delegated VA root.

In this model, the signing certificate is included in the OCSP response.  API Gateway might not have this certificate. If not, it must have the issuer (CA) certificate of the signing certificate.

Configure VA delegated trust

To configure the VA delegated trust model, perform the following steps:

  1. Import the signing certificate
  2. Configure a policy with two OCSP client filters

Import the signing certificate

Using Policy Studio, import the signing certificate into the API Gateway certificate store.

Import signing certificate

For more information on importing certificates, see the API Gateway Policy Developer Guide.

Configure a policy with two OCSP client filters

This use case requires two chained OCSP client filters:

  • One filter to verify the target certificate
  • One filter to verify the response signing certificate

Sample policy for VA delegated trust

Verify target certificate

In this OCSP client filter, set the OCSP Responder URL to point to the VA server configured for VA delegated trust. This server can validate the target certificate (it has the target certificate issuer/CA details).

Verify target certificate

Extract the certificate from the certificate message attribute. Select the Validate response option and select the Against the certificate contained in the response and the Against the CA certificate of the certificate being validated check boxes.

Verify target certificate settings

Verify signing certificate

Validation Authority returns the OCSP responder URL to use in the signing certificate's AIA extension. The API Gateway OCSP client does not support extraction of this information.

This example directly uses and trusts the root VA server:

Verify signing certificate


Extract the signing certificate from the ocsp.response.signing.certificate message attribute. Select the Validate response option and select the Against the specified certificate check box. Click Signing Key to select the root VA certificate.

Verify signing certificate settings

For more information on the OCSP client filter settings, see the API Gateway Policy Developer Filter Reference.

Related Links