12-15-2013 01:02 PM
I was asked to move my post - hope it saves you the headaches of having to go through the arguments I have with my security guys....
Anyone had any issues with ocsp verification with Microsoft CA running on 2012? I have removed nonces as a requirement and validated ocsp with certutil from a windows workstation using the client certificate that i exported off the laptop and it checks out OK. Interestingly enough the ocsp check when done from a Linux machine (not cppm) fails and the ocsp call using openssl is totally different to the oscp call from certutil on windows (seems to reference a Microsoft cryptoAPI) I have a tac raised and will post the solution when we get one but wondered if anyone could give us a head start? BTW all roots and intermediates are present and eaptls works fine providing I disable ocsp verification within the authentication method under the configured service. Many thanks.
Just in case anyone gets caught out on this who have done a recent installtion of PKI:
By allowing "Enable NONCE extensions support" you allow an OCSP check to get processed properly. Keep the nonce option enabled on 6.2 CPPM.
Note now my linux systems can do a OCSP check successfully - I guess at CPPMs heart lies a linux server, as most of the stuff is nowadays.
I have more detail I can post up if anyone wants me to, regarding the certutil OCSP validatoin check the MicrosoftCryptoAPI and the openssl method fi you want.
Hope it saves you guys some time if you end up in the same boat.
To be absolutely crystal clear - nonce support needs to be enabled on the Microsoft CA server
12-15-2013 01:06 PM
BTW - in a futher twist on the end, two CRL servers contain revocation material in this deployment, these sit behind a load balancer. The ocsp call was being arbitrarity divided (as you would want & expect) by the load balancer. Trouble was that the cert revocation serials were not being syncronised properly causing the ocsp call to return bad info.... another argument ensued and well this sync frequency was upped as opposed to publshing a specific oscp url within each signed certificate - anyone got any opinions on this last point BTW?
12-15-2013 08:48 PM
With the growing concern with security a lot more people out there starting to deploy certificates more and more people will have to learn about OCSP with Clearpass, other PKI infrastructures and what are the best practices.
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
04-23-2014 06:07 AM
just been going through the same issue on the Aruba controller and using certificates for IKEv1 authentication instead of PSK. Running OCSP check from controller to Microsoft 2012 CA failed until the NONCE exemption support was enabled on the CA.