OCSP Validation of Client Certificate Not Working

OCSP Validation of Client Certificate Not Working

28109
Created On 09/25/18 17:42 PM - Last Modified 02/07/19 23:49 PM


Resolution

Symptoms

OCSP validation of client certificates for GlobalProtect is not working when using a Microsoft's Lightweight OCSP Profile

Issue

Confirm that validating the certificate outside of the firewall to the OCSP server is successful. Keep in mind that the firewall includes the nonce in the OCSP query

Take a look at the following logs from mp-log sslmgr.log, for the following error message (or similar):

Jul 30 15:46:59 sslmgr: ike mgr client certificate profile commit

Jul 30 15:52:16 Error: pan_ocsp_parse_response(pan_crl.c:1262): [OCSP] The result of Certificate status query is unavailable for serial number[6128D58D000000000004] and uri[http://labsrv1.stealthllama.local/ocsp]

Jul 30 15:52:16 Error: pan_ocsp_fetch_ocsp(pan_crl.c:1948): pan_ocsp_parse_response() failed

There might also be error messages like the ones below:

Jul 31 18:24:31 sslmgr_sysd_verify_cert(sslmgr_sysd.c:164): vsys id(1) profile name(StealthllamaClients) cert len (2034) obj len(2074) struct length(40)

Jul 31 18:24:31 [OCSP] URL (null) serialno: 6128D58D000000000004

Jul 31 18:24:31 pan_ocsp_certchain_to_file(pan_crl.c:1066): root_ca_fname(Clr3Zk-uU9Jad2n)

Jul 31 18:24:31 pan_ocsp_query_responder(pan_crl.c:1807): cetificate valid time information (Issuer: Not Before[Jul 29 15:51:18 2012 GMT]; Not After[Jul 29 16:01:16 2017 GMT]; Cert: Not Before[Jul 29 16:24:45 2012 GMT]; Not After[Jul 29 16:24:45 2013 GMT];)

Jul 31 18:24:31 pan_ocsp_parse_response(pan_crl.c:1187): Responder Error: unauthorized (6)

Jul 31 18:24:31 Error: pan_ocsp_parse_response(pan_crl.c:1262): [OCSP] The result of Certificate status query is unavailable for serial number[6128D58D000000000004] and uri[http://labsrv1.stealthllama.local/ocsp]

Jul 31 18:24:31 Error: pan_ocsp_fetch_ocsp(pan_crl.c:1948): pan_ocsp_parse_response() failed

Jul 31 18:24:31 sslmgr_check_status(sslmgr_main.c:671): [OCSP] Certificate status unavailable: depth:0

Resolution

Enable that extension in the MicroSoft OCSP responder. Microsoft's Lightweight OCSP Profile does not support nonce extensions by default. However, it can be enabled by modifying the Revocation Configuration extensions.

owner: dwhyte



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIWCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language