Security

Reply
Occasional Contributor II
Posts: 14
Registered: ‎12-12-2012

OCSP response verification failed

Hello,

 

I'm trying to setup my controller to check certificate revocation from newly created Windows CA via OCSP. As I undestand controller is acting as a OCSP Client. I use revocation checking to check user sertificates for VIA users. OCSP server should be up and running. I'm using Microsoft recommended OCSPResponceSigning -certificate template to enroll for response signing sertificate on the CA server.

 

When revocation chencing takes place process log shows error message "certmgr[1620]: <118004> <ERRS> |certmgr| OCSP response verification failed."

 

What can cause this?

 

Other thing that I don't undertand in Revocation CheckPoing configuration is the "OCSP Responder Cert" that must be definet for a Revocation CheckPoint per CA. Documentation does not explain what this sertificate should be. I have tried to put many different certificates there (controllers server cert, CAs OCSP signing cert and CA cert) but I always get error message described above.

 

I'm running AOS version 6.4.2.0

Occasional Contributor II
Posts: 14
Registered: ‎12-12-2012

Re: OCSP response verification failed

It seems that this was an issue with the OCSP responder. I enabled NONCE extension. This did the trick. OCSP is now working. I think NONCE requirement should be mentioned in the documentation.

Search Airheads
Showing results for 
Search instead for 
Did you mean: