Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-31-2017 07:20 PM
Hi guys,
We are using Certificate Authentication Profile for Pre-Logon and then Username and Password before VPN can be established.
GP is working fine and we would like to validate when certificate is revoked, it will stop the machine from connecting.
In our environment we have an Standalone Root CA and Enterprise Subordinate CA and the URL locations for OCSP and CDP are pointing to LDAP.
CDP
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap:///CN=Ent-CA,CN=ServerName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=X,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=Ent-CA,CN=ServerName,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=X,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint)
AIA (OCSP?)
[1]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=ldap:///CN=Ent-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=X,DC=local?cACertificate?base?objectClass=certificationAuthority (ldap:///CN=Ent-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=X,DC=local?cACertificate?base?objectClass=certificationAuthority)
Which URL do i need to set up under the Certification Profile Default OCSP URL?
Do i also need to enter the Root CA OCSP URL?
Thanks for the input.
06-01-2017 10:22 AM
06-01-2017 08:53 PM - edited 06-01-2017 08:56 PM
thanks @Remo
I have simply checked the Use OCSP and Use CRL Checkboxes.
i have since revoked a certificate, and Delta CRL is set to be updated everyday. Is there a way to check if GP is checking the CRL?
I just also noticed that the Default OCSP URL must start with http or https
06-01-2017 10:22 AM
06-01-2017 08:53 PM - edited 06-01-2017 08:56 PM
thanks @Remo
I have simply checked the Use OCSP and Use CRL Checkboxes.
i have since revoked a certificate, and Delta CRL is set to be updated everyday. Is there a way to check if GP is checking the CRL?
I just also noticed that the Default OCSP URL must start with http or https
06-02-2017 09:26 AM
07-10-2017 05:59 PM
I confirm that LDAP CRL works as well.
I revoked a certificate from CA and deny re-enrollment.
When trying to connect to the GP Portal with the revoked cert - the client is showing "Required client certificate is not found"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
