OCSP unknown status

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

OCSP unknown status

L1 Bithead

Hi team,

 

I am configuring Firewall as CA and local OCSP responder to use in GP VPN with client cert authen.

However, all the client cert that I generated from the Firewall got "unknown" status in OCSP. So I client cannot authentiate by this cert.

 

Can anyone please help to find out why? Thank you.

 

admin@PA-VM(active)> debug sslmgr view ocsp all

Current time is: Mon Jul  9 19:11:30 2018

Count   Serial Number (HEX)                      Status      Next Update              Revocation Time          Reason    
        Issuer Name Hash
        OCSP Responder URL
------- ---------------------------------------- ----------- ------------------------ ------------------------ ----------
[    1] 056CC7E0                                 unknown     Jul 09 20:11:23 2018 GMT                          
        f7608426
        http://192.168.55.20/CA/ocsp
[    2] 056CC7D6                                 valid       Jul 09 04:16:33 2018 GMT                          
        f7608426
        http://192.168.55.20/CA/ocsp
[    3] 056CC7DF                                 unknown     Jul 09 20:07:46 2018 GMT                          
        f7608426
        http://192.168.55.20/CA/ocsp
[    4] 056CC7DB                                 unknown     Jul 09 05:32:33 2018 GMT                          
        f7608426
        http://192.168.55.20/CA/ocsp
[    5] 056CC7DA                                 valid       Jul 09 05:20:57 2018 GMT                          
        f7608426
        http://192.168.55.20/CA/ocsp
[    6] 056CC7DE                                 valid       Jul 09 20:02:11 2018 GMT                          
        f7608426
        http://192.168.55.20/CA/ocsp
[    7] 056CC7DC                                 unknown     Jul 09 19:52:05 2018 GMT                          
        f7608426
        http://192.168.55.20/CA/ocsp
[    8] 056CC7D7                                 valid       Jul 09 04:37:37 2018 GMT                          
        f7608426
        http://192.168.55.10/CA/ocsp
[    9] 056CC7D7                                 valid       Jul 09 04:45:46 2018 GMT                          
        f7608426
        http://192.168.55.20/CA/ocsp
[   10] 056CC7DD                                 unknown     Jul 09 19:55:52 2018 GMT                          
        f7608426
        http://192.168.55.20/CA/ocsp
[   11] 056CC7D8                                 valid       Jul 09 04:51:22 2018 GMT                          
        f7608426
        http://192.168.55.20/CA/ocsp

admin@PA-VM(active)>
admin@PA-VM(active)>
admin@PA-VM(active)> tail mp-log sslmgr.log
2018-07-10 02:02:11.066 +0700 Warning:  pan_ocsp_query_responder(pan_crl.c:2494): sat_verify_certs(/opt/pancfg/certificates/ocsp-verify-ca-4/all_verify_certs_sat) doesnot exist.
2018-07-10 02:02:11.066 +0700 Warning:  pan_ocsp_query_responder(pan_crl.c:2500): issuer_cert_filename(/opt/pancfg/certificates/custom-4/0/Ou+BdKZJlUSwmHN) does not exist
2018-07-10 02:07:46.649 +0700 Warning:  pan_ocsp_query_responder(pan_crl.c:2494): sat_verify_certs(/opt/pancfg/certificates/ocsp-verify-ca-4/all_verify_certs_sat) doesnot exist.
2018-07-10 02:07:46.649 +0700 Warning:  pan_ocsp_query_responder(pan_crl.c:2500): issuer_cert_filename(/opt/pancfg/certificates/custom-4/0/Ou+BdKZJlUSwmHN) does not exist
2018-07-10 02:07:46.649 +0700 Error:  pan_ocsp_parse_response(pan_crl.c:1816): [OCSP] The result of Certificate status query is unknown for serial number[056CC7DF] and uri[http://192.168.55.20/CA/ocsp]
2018-07-10 02:07:46.649 +0700 Error:  pan_ocsp_fetch_ocsp(pan_crl.c:2722): pan_ocsp_parse_response() failed
2018-07-10 02:11:23.755 +0700 Warning:  pan_ocsp_query_responder(pan_crl.c:2494): sat_verify_certs(/opt/pancfg/certificates/ocsp-verify-ca-4/all_verify_certs_sat) doesnot exist.
2018-07-10 02:11:23.755 +0700 Warning:  pan_ocsp_query_responder(pan_crl.c:2500): issuer_cert_filename(/opt/pancfg/certificates/custom-4/0/Ou+BdKZJlUSwmHN) does not exist
2018-07-10 02:11:23.756 +0700 Error:  pan_ocsp_parse_response(pan_crl.c:1816): [OCSP] The result of Certificate status query is unknown for serial number[056CC7E0] and uri[http://192.168.55.20/CA/ocsp]
2018-07-10 02:11:23.756 +0700 Error:  pan_ocsp_fetch_ocsp(pan_crl.c:2722): pan_ocsp_parse_response() failed

3 REPLIES 3

L7 Applicator

Just to make sure we're troubleshooting the right spot, did you do all of the following?

 

1. Created the OCSP responder on the firewall (Device tab > Certificate Management > OCSP Responder).

2. Created the certificate with that OCSP responder selected.

3. Allow connections to a dataplane interface to let OCSP respond (Network tab > Network Profiles > Interface Mgmt > Select "HTTP OCSP")

4. Have a security rule allowing the inbound OCSP requests.

 

Steps 1 & 2 are required to do in that order (though can be done after steps 3 & 4). If the cert was created before the OCSP responder was created, it won't work since the cert doesn't have the OCSP location present. 

 

Steps 3 & 4 can be done in any order, but are required also.

 

I wrote up a document a few years ago that goes over the procedure and talks about testing it as well:

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Configure-an-OCSP-Responder/ta-p/622...

Hi Gwesson,

 

Thank you for your response. The step I missed is Commit before using the certificate. The certs are valid in OCSP now.

 

But I got another problem, that is when I revoke the certificate on Firewall (with commit), the OCSP cache still have the cert as valid status, not change to revoked. So that client still can authenticate to VPN. Do you have any clue about that?

I don't, but I'd recommend starting a new thread so your question can be seen by the whole community instead of to an answered-ish thread.

  • 4535 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!