Direct trust model

When using the direct trust model with Axway Validation Authority, the signing certificate is the VA server certificate, which is self-signed.

In this model, OCSP responses are signed with the OCSP signing certificate of the VA server. The signing certificate is not included in the OCSP response.

Configure direct trust

To configure the direct trust model, perform the following steps:

  1. Import the certificate
  2. Configure an OCSP client filter

Import the certificate

Using Policy Studio, import the certificate into the API Gateway certificate store.

Import certificate into certificate store

For more information on importing certificates, see the API Gateway Policy Developer Guide.

Configure an OCSP client filter

In Policy Studio, configure an OCSP Client filter with the following settings:

General settings

  • Enter the address of the Validation Authority system configured for direct trust in the OCSP Responder URL field. This example uses an HTTP connection.

Settings tab

  • Enter the name of the message attribute that contains the certificate to validate. In this example the target certificate is extracted from a message attribute called certificate.
  • Select the Validate response option and select the Against the specified certificate check box. Click Signing Key to choose the VA server OCSP signing certificate from the certificate store or to specify a certificate to bind to at runtime.

OCSP client settings

You can use the default values for the other settings. For more information on the settings, see the API Gateway Policy Developer Filter Reference.

Related Links