Machines running behind strict firewalls may have issues validating certificates because Certificate Revocation checks can occasionally get blocked.
The Certificate Revocation List is hosted by Thawte and requires a connection to separate IP Addresses than those needed to connect to our platform.
How to Resolve These Issues
CRL/OCSP Support
- Verify that the firewall isn't blocking CRL/OCSP checks.
- Alternatively, check whether the firewall supports OCSP forwarding.
Proxy
The configuration below can be added to the ChipDNA Server config to setup a proxy for the Revocation Checks. This will allow you to perform the Revocation Checking through our platform instead of connecting to the IPs directly. This is supported in ChipDNA v1.18+.
<ChipDnaServer version="1.0.0"> <CrlProxy uri="https://live.cardeasexml.com/crl.cex" timeout="10000">true</CrlProxy>
<OcspProxy uri="https://live.cardeasexml.com/ocsp.cex" timeout="10000">true</OcspProxy>
ChipDNA 2.04+ automatically proxies the revocation checks through our platform.
Whitelisting IPs
An alternative to using the proxy method above would be to whitelist the Thawte IPs found at the following link.