topic Re: GlobalProtect OCSP URL location with Offline Root CA and Enterprise Subordinate CA in General Topics

GlobalProtect OCSP URL location with Offline Root CA and Enterprise Subordinate CA

ESutedy — Thu, 01 Jun 2017 02:20:41 GMT

Hi guys,

We are using Certificate Authentication Profile for Pre-Logon and then Username and Password before VPN can be established.

GP is working fine and we would like to validate when certificate is revoked, it will stop the machine from connecting.

In our environment we have an Standalone Root CA and Enterprise Subordinate CA and the URL locations for OCSP and CDP are pointing to LDAP.

CDP

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=ldap:///CN=Ent-CA,CN=ServerName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=X,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=Ent-CA,CN=ServerName,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=X,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint)

AIA (OCSP?)

[1]Authority Info Access
     Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
     Alternative Name:
          URL=ldap:///CN=Ent-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=X,DC=local?cACertificate?base?objectClass=certificationAuthority (ldap:///CN=Ent-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=X,DC=local?cACertificate?base?objectClass=certificationAuthority)

Which URL do i need to set up under the Certification Profile Default OCSP URL?

Do i also need to enter the Root CA OCSP URL?

Thanks for the input.

Re: GlobalProtect OCSP URL location with Offline Root CA and Enterprise Subordinate CA

Remo — Thu, 01 Jun 2017 17:22:12 GMT

I don't know 100% if this information is still valid but in the past I think only http url's were supported. I also searched in the documentation and so far I was not able to find something about an ldap url.
If the url is included in your certificate then it will be enough if you simply click the checkboses for "Use OCSP" and "Use CRL". OCSP is always the preferred one.
In the url's you only need the url for your intermediate CA, because this is the one which signs your client/user certificates.
Ok, the inermediate can be revoked too but if you ever run into a problem with this one revoked then you need to manually change the cert on the firewall anyway. But if you simply import the root cert to your fw cert store, the fw will also get revocation information for that cert and likely mark your inermediate as invalid if it is revoked, but I did never test this.

Re: GlobalProtect OCSP URL location with Offline Root CA and Enterprise Subordinate CA

ESutedy — Fri, 02 Jun 2017 03:56:53 GMT

thanks @Remo

I have simply checked the Use OCSP and Use CRL Checkboxes.

i have since revoked a certificate, and Delta CRL is set to be updated everyday. Is there a way to check if GP is checking the CRL?

I just also noticed that the Default OCSP URL must start with http or https

Re: GlobalProtect OCSP URL location with Offline Root CA and Enterprise Subordinate CA

Remo — Fri, 02 Jun 2017 16:26:12 GMT

Search in your system logs: (description contains 'CRL')
Try to connect with a computer which has a revoked certificate
https://live.paloaltonetworks.com/t5/Management-Articles/View-Delete-CRL-and-OCSP-cache/ta-p/59286
less mp-log sslmgr.log

Re: GlobalProtect OCSP URL location with Offline Root CA and Enterprise Subordinate CA

ESutedy — Tue, 11 Jul 2017 00:59:12 GMT

I confirm that LDAP CRL works as well.

I revoked a certificate from CA and deny re-enrollment.

When trying to connect to the GP Portal with the revoked cert - the client is showing "Required client certificate is not found"