GlobalProtect OCSP URL location with Offline Root CA and Enterprise Subordinate CA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect OCSP URL location with Offline Root CA and Enterprise Subordinate CA

L1 Bithead

Hi guys,

 

We are using Certificate Authentication Profile for Pre-Logon and then Username and Password before VPN can be established.

 

GP is working fine and we would like to validate when certificate is revoked, it will stop the machine from connecting.

 

In our environment we have an Standalone Root CA and Enterprise Subordinate CA and the URL locations for OCSP and CDP are pointing to LDAP.

 

CDP

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=ldap:///CN=Ent-CA,CN=ServerName,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=X,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint (ldap:///CN=Ent-CA,CN=ServerName,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=X,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint)

 

AIA (OCSP?)

[1]Authority Info Access
     Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
     Alternative Name:
          URL=ldap:///CN=Ent-CA,CN=AIA,CN=Public Key Services,CN=Services,CN=Configuration,DC=X,DC=local?cACertificate?base?objectClass=certificationAuthority (ldap:///CN=Ent-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=X,DC=local?cACertificate?base?objectClass=certificationAuthority)

 

Which URL do i need to set up under the Certification Profile Default OCSP URL?

 

Do i also need to enter the Root CA OCSP URL?

 

Thanks for the input.

2 accepted solutions

Accepted Solutions

L7 Applicator
I don't know 100% if this information is still valid but in the past I think only http url's were supported. I also searched in the documentation and so far I was not able to find something about an ldap url.
If the url is included in your certificate then it will be enough if you simply click the checkboses for "Use OCSP" and "Use CRL". OCSP is always the preferred one.
In the url's you only need the url for your intermediate CA, because this is the one which signs your client/user certificates.
Ok, the inermediate can be revoked too but if you ever run into a problem with this one revoked then you need to manually change the cert on the firewall anyway. But if you simply import the root cert to your fw cert store, the fw will also get revocation information for that cert and likely mark your inermediate as invalid if it is revoked, but I did never test this.

View solution in original post

thanks @Remo

 

I have simply checked the Use OCSP and Use CRL Checkboxes.

 

i have since revoked a certificate, and Delta CRL is set to be updated everyday. Is there a way to check if GP is checking the CRL?

 

I just also noticed that the Default OCSP URL must start with http or httpsOCSP.PNG

View solution in original post

4 REPLIES 4

L7 Applicator
I don't know 100% if this information is still valid but in the past I think only http url's were supported. I also searched in the documentation and so far I was not able to find something about an ldap url.
If the url is included in your certificate then it will be enough if you simply click the checkboses for "Use OCSP" and "Use CRL". OCSP is always the preferred one.
In the url's you only need the url for your intermediate CA, because this is the one which signs your client/user certificates.
Ok, the inermediate can be revoked too but if you ever run into a problem with this one revoked then you need to manually change the cert on the firewall anyway. But if you simply import the root cert to your fw cert store, the fw will also get revocation information for that cert and likely mark your inermediate as invalid if it is revoked, but I did never test this.

thanks @Remo

 

I have simply checked the Use OCSP and Use CRL Checkboxes.

 

i have since revoked a certificate, and Delta CRL is set to be updated everyday. Is there a way to check if GP is checking the CRL?

 

I just also noticed that the Default OCSP URL must start with http or httpsOCSP.PNG

 

L1 Bithead

I confirm that LDAP CRL works as well.

 

I revoked a certificate from CA and deny re-enrollment.

 

When trying to connect to the GP Portal with the revoked cert - the client is showing "Required client certificate is not found"

  • 2 accepted solutions
  • 4963 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!