https://live.paloaltonetworks.com/t5/general-topics/ocsp-unknown-status/m-p/221360#M63747 <P>Hi Gwesson,</P><P>&nbsp;</P><P>Thank you for your response. The step I missed is Commit before using the certificate. The certs are valid in OCSP now.</P><P>&nbsp;</P><P>But I got another problem, that is when I revoke the certificate on Firewall (with commit), the OCSP cache still have the cert as valid status, not change to revoked. So that client still can authenticate to VPN. Do you have any clue about that?</P> Tue, 10 Jul 2018 07:18:52 GMT Retired Member 2018-07-10T07:18:52Z https://live.paloaltonetworks.com/t5/general-topics/ocsp-unknown-status/m-p/221115#M63718 <P>Hi team,</P><P>&nbsp;</P><P>I am configuring Firewall as CA and local OCSP responder to use in GP VPN with client cert authen.</P><P>However, all the client cert that I generated from the Firewall got "unknown" status in OCSP. So I client cannot authentiate by this cert.</P><P>&nbsp;</P><P>Can anyone please help to find out why? Thank you.</P><P>&nbsp;</P><P>admin@PA-VM(active)&gt; debug sslmgr view ocsp all<BR /><BR />Current time is: Mon Jul&nbsp; 9 19:11:30 2018<BR /><BR />Count&nbsp;&nbsp; Serial Number (HEX)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Status&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Next Update&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Revocation Time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Reason&nbsp;&nbsp; &nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Issuer Name Hash<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OCSP Responder URL<BR />------- ---------------------------------------- ----------- ------------------------ ------------------------ ----------<BR />[&nbsp;&nbsp;&nbsp; 1] 056CC7E0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unknown&nbsp;&nbsp;&nbsp;&nbsp; Jul 09 20:11:23 2018 GMT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; f7608426<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://192.168.55.20/CA/ocsp" target="_blank">http://192.168.55.20/CA/ocsp</A><BR />[&nbsp;&nbsp;&nbsp; 2] 056CC7D6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; valid&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Jul 09 04:16:33 2018 GMT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; f7608426<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://192.168.55.20/CA/ocsp" target="_blank">http://192.168.55.20/CA/ocsp</A><BR />[&nbsp;&nbsp;&nbsp; 3] 056CC7DF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unknown&nbsp;&nbsp;&nbsp;&nbsp; Jul 09 20:07:46 2018 GMT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; f7608426<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://192.168.55.20/CA/ocsp" target="_blank">http://192.168.55.20/CA/ocsp</A><BR />[&nbsp;&nbsp;&nbsp; 4] 056CC7DB&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unknown&nbsp;&nbsp;&nbsp;&nbsp; Jul 09 05:32:33 2018 GMT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; f7608426<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://192.168.55.20/CA/ocsp" target="_blank">http://192.168.55.20/CA/ocsp</A><BR />[&nbsp;&nbsp;&nbsp; 5] 056CC7DA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; valid&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Jul 09 05:20:57 2018 GMT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; f7608426<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://192.168.55.20/CA/ocsp" target="_blank">http://192.168.55.20/CA/ocsp</A><BR />[&nbsp;&nbsp;&nbsp; 6] 056CC7DE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; valid&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Jul 09 20:02:11 2018 GMT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; f7608426<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://192.168.55.20/CA/ocsp" target="_blank">http://192.168.55.20/CA/ocsp</A><BR />[&nbsp;&nbsp;&nbsp; 7] 056CC7DC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unknown&nbsp;&nbsp;&nbsp;&nbsp; Jul 09 19:52:05 2018 GMT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; f7608426<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://192.168.55.20/CA/ocsp" target="_blank">http://192.168.55.20/CA/ocsp</A><BR />[&nbsp;&nbsp;&nbsp; 8] 056CC7D7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; valid&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Jul 09 04:37:37 2018 GMT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; f7608426<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://192.168.55.10/CA/ocsp" target="_blank">http://192.168.55.10/CA/ocsp</A><BR />[&nbsp;&nbsp;&nbsp; 9] 056CC7D7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; valid&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Jul 09 04:45:46 2018 GMT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; f7608426<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://192.168.55.20/CA/ocsp" target="_blank">http://192.168.55.20/CA/ocsp</A><BR />[&nbsp;&nbsp; 10] 056CC7DD&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unknown&nbsp;&nbsp;&nbsp;&nbsp; Jul 09 19:55:52 2018 GMT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; f7608426<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://192.168.55.20/CA/ocsp" target="_blank">http://192.168.55.20/CA/ocsp</A><BR />[&nbsp;&nbsp; 11] 056CC7D8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; valid&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Jul 09 04:51:22 2018 GMT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; f7608426<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="http://192.168.55.20/CA/ocsp" target="_blank">http://192.168.55.20/CA/ocsp</A><BR /><BR />admin@PA-VM(active)&gt;<BR />admin@PA-VM(active)&gt;<BR />admin@PA-VM(active)&gt; tail mp-log sslmgr.log<BR />2018-07-10 02:02:11.066 +0700 Warning:&nbsp; pan_ocsp_query_responder(pan_crl.c:2494): sat_verify_certs(/opt/pancfg/certificates/ocsp-verify-ca-4/all_verify_certs_sat) doesnot exist.<BR />2018-07-10 02:02:11.066 +0700 Warning:&nbsp; pan_ocsp_query_responder(pan_crl.c:2500): issuer_cert_filename(/opt/pancfg/certificates/custom-4/0/Ou+BdKZJlUSwmHN) does not exist<BR />2018-07-10 02:07:46.649 +0700 Warning:&nbsp; pan_ocsp_query_responder(pan_crl.c:2494): sat_verify_certs(/opt/pancfg/certificates/ocsp-verify-ca-4/all_verify_certs_sat) doesnot exist.<BR />2018-07-10 02:07:46.649 +0700 Warning:&nbsp; pan_ocsp_query_responder(pan_crl.c:2500): issuer_cert_filename(/opt/pancfg/certificates/custom-4/0/Ou+BdKZJlUSwmHN) does not exist<BR />2018-07-10 02:07:46.649 +0700 Error:&nbsp; pan_ocsp_parse_response(pan_crl.c:1816): [OCSP] The result of Certificate status query is unknown for serial number[056CC7DF] and uri[<A href="http://192.168.55.20/CA/ocsp" target="_blank">http://192.168.55.20/CA/ocsp</A>]<BR />2018-07-10 02:07:46.649 +0700 Error:&nbsp; pan_ocsp_fetch_ocsp(pan_crl.c:2722): pan_ocsp_parse_response() failed<BR />2018-07-10 02:11:23.755 +0700 Warning:&nbsp; pan_ocsp_query_responder(pan_crl.c:2494): sat_verify_certs(/opt/pancfg/certificates/ocsp-verify-ca-4/all_verify_certs_sat) doesnot exist.<BR />2018-07-10 02:11:23.755 +0700 Warning:&nbsp; pan_ocsp_query_responder(pan_crl.c:2500): issuer_cert_filename(/opt/pancfg/certificates/custom-4/0/Ou+BdKZJlUSwmHN) does not exist<BR />2018-07-10 02:11:23.756 +0700 Error:&nbsp; pan_ocsp_parse_response(pan_crl.c:1816): [OCSP] The result of Certificate status query is unknown for serial number[056CC7E0] and uri[<A href="http://192.168.55.20/CA/ocsp" target="_blank">http://192.168.55.20/CA/ocsp</A>]<BR />2018-07-10 02:11:23.756 +0700 Error:&nbsp; pan_ocsp_fetch_ocsp(pan_crl.c:2722): pan_ocsp_parse_response() failed</P> Mon, 09 Jul 2018 05:19:41 GMT https://live.paloaltonetworks.com/t5/general-topics/ocsp-unknown-status/m-p/221115#M63718 Retired Member 2018-07-09T05:19:41Z https://live.paloaltonetworks.com/t5/general-topics/ocsp-unknown-status/m-p/221253#M63740 <P>Just to make sure we're troubleshooting the right spot, did you do all of the following?</P><P>&nbsp;</P><P>1. Created the OCSP responder on the firewall (Device tab &gt; Certificate Management &gt; OCSP Responder).</P><P>2. Created the certificate with that OCSP responder selected.</P><P>3.&nbsp;Allow connections to a dataplane interface to let OCSP respond (Network tab &gt; Network Profiles &gt; Interface Mgmt &gt; Select "HTTP OCSP")</P><P>4. Have a security rule allowing the inbound OCSP requests.</P><P>&nbsp;</P><P>Steps 1 &amp; 2 are required to do in that order (though can be done after steps 3 &amp; 4). If the cert was created before the OCSP responder was created, it won't work since the cert doesn't have the OCSP location present.&nbsp;</P><P>&nbsp;</P><P>Steps 3 &amp; 4 can be done in any order, but are required also.</P><P>&nbsp;</P><P>I wrote up a document a few years ago that goes over the procedure and talks about testing it as well:</P><P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Configure-an-OCSP-Responder/ta-p/62256" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Configure-an-OCSP-Responder/ta-p/62256</A></P> Mon, 09 Jul 2018 18:03:45 GMT https://live.paloaltonetworks.com/t5/general-topics/ocsp-unknown-status/m-p/221253#M63740 gwesson 2018-07-09T18:03:45Z https://live.paloaltonetworks.com/t5/general-topics/ocsp-unknown-status/m-p/221360#M63747 <P>Hi Gwesson,</P><P>&nbsp;</P><P>Thank you for your response. The step I missed is Commit before using the certificate. The certs are valid in OCSP now.</P><P>&nbsp;</P><P>But I got another problem, that is when I revoke the certificate on Firewall (with commit), the OCSP cache still have the cert as valid status, not change to revoked. So that client still can authenticate to VPN. Do you have any clue about that?</P> Tue, 10 Jul 2018 07:18:52 GMT https://live.paloaltonetworks.com/t5/general-topics/ocsp-unknown-status/m-p/221360#M63747 Retired Member 2018-07-10T07:18:52Z https://live.paloaltonetworks.com/t5/general-topics/ocsp-unknown-status/m-p/221554#M63793 <P>I don't, but I'd recommend starting a new thread so your question can be seen by the whole community instead of to an answered-ish thread.</P> Tue, 10 Jul 2018 16:31:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ocsp-unknown-status/m-p/221554#M63793 gwesson 2018-07-10T16:31:30Z