OCSP Validation of Client Certificate Not Working
Resolution
Symptoms
OCSP validation of client certificates for GlobalProtect is not working when using a Microsoft's Lightweight OCSP Profile
Issue
Confirm that validating the certificate outside of the firewall to the OCSP server is successful. Keep in mind that the firewall includes the nonce in the OCSP query
Take a look at the following logs from mp-log sslmgr.log, for the following error message (or similar):
Jul 30 15:46:59 sslmgr: ike mgr client certificate profile commit
Jul 30 15:52:16 Error: pan_ocsp_parse_response(pan_crl.c:1262): [OCSP] The result of Certificate status query is unavailable for serial number[6128D58D000000000004] and uri[http://labsrv1.stealthllama.local/ocsp]
Jul 30 15:52:16 Error: pan_ocsp_fetch_ocsp(pan_crl.c:1948): pan_ocsp_parse_response() failed
There might also be error messages like the ones below:
Jul 31 18:24:31 sslmgr_sysd_verify_cert(sslmgr_sysd.c:164): vsys id(1) profile name(StealthllamaClients) cert len (2034) obj len(2074) struct length(40)
Jul 31 18:24:31 [OCSP] URL (null) serialno: 6128D58D000000000004
Jul 31 18:24:31 pan_ocsp_certchain_to_file(pan_crl.c:1066): root_ca_fname(Clr3Zk-uU9Jad2n)
Jul 31 18:24:31 pan_ocsp_query_responder(pan_crl.c:1807): cetificate valid time information (Issuer: Not Before[Jul 29 15:51:18 2012 GMT]; Not After[Jul 29 16:01:16 2017 GMT]; Cert: Not Before[Jul 29 16:24:45 2012 GMT]; Not After[Jul 29 16:24:45 2013 GMT];)
Jul 31 18:24:31 pan_ocsp_parse_response(pan_crl.c:1187): Responder Error: unauthorized (6)
Jul 31 18:24:31 Error: pan_ocsp_parse_response(pan_crl.c:1262): [OCSP] The result of Certificate status query is unavailable for serial number[6128D58D000000000004] and uri[http://labsrv1.stealthllama.local/ocsp]
Jul 31 18:24:31 Error: pan_ocsp_fetch_ocsp(pan_crl.c:1948): pan_ocsp_parse_response() failed
Jul 31 18:24:31 sslmgr_check_status(sslmgr_main.c:671): [OCSP] Certificate status unavailable: depth:0
Resolution
Enable that extension in the MicroSoft OCSP responder. Microsoft's Lightweight OCSP Profile does not support nonce extensions by default. However, it can be enabled by modifying the Revocation Configuration extensions.
owner: dwhyte