07-08-2018 10:19 PM
Hi team,
I am configuring Firewall as CA and local OCSP responder to use in GP VPN with client cert authen.
However, all the client cert that I generated from the Firewall got "unknown" status in OCSP. So I client cannot authentiate by this cert.
Can anyone please help to find out why? Thank you.
admin@PA-VM(active)> debug sslmgr view ocsp all
Current time is: Mon Jul 9 19:11:30 2018
Count Serial Number (HEX) Status Next Update Revocation Time Reason
Issuer Name Hash
OCSP Responder URL
------- ---------------------------------------- ----------- ------------------------ ------------------------ ----------
[ 1] 056CC7E0 unknown Jul 09 20:11:23 2018 GMT
f7608426
http://192.168.55.20/CA/ocsp
[ 2] 056CC7D6 valid Jul 09 04:16:33 2018 GMT
f7608426
http://192.168.55.20/CA/ocsp
[ 3] 056CC7DF unknown Jul 09 20:07:46 2018 GMT
f7608426
http://192.168.55.20/CA/ocsp
[ 4] 056CC7DB unknown Jul 09 05:32:33 2018 GMT
f7608426
http://192.168.55.20/CA/ocsp
[ 5] 056CC7DA valid Jul 09 05:20:57 2018 GMT
f7608426
http://192.168.55.20/CA/ocsp
[ 6] 056CC7DE valid Jul 09 20:02:11 2018 GMT
f7608426
http://192.168.55.20/CA/ocsp
[ 7] 056CC7DC unknown Jul 09 19:52:05 2018 GMT
f7608426
http://192.168.55.20/CA/ocsp
[ 8] 056CC7D7 valid Jul 09 04:37:37 2018 GMT
f7608426
http://192.168.55.10/CA/ocsp
[ 9] 056CC7D7 valid Jul 09 04:45:46 2018 GMT
f7608426
http://192.168.55.20/CA/ocsp
[ 10] 056CC7DD unknown Jul 09 19:55:52 2018 GMT
f7608426
http://192.168.55.20/CA/ocsp
[ 11] 056CC7D8 valid Jul 09 04:51:22 2018 GMT
f7608426
http://192.168.55.20/CA/ocsp
admin@PA-VM(active)>
admin@PA-VM(active)>
admin@PA-VM(active)> tail mp-log sslmgr.log
2018-07-10 02:02:11.066 +0700 Warning: pan_ocsp_query_responder(pan_crl.c:2494): sat_verify_certs(/opt/pancfg/certificates/ocsp-verify-ca-4/all_verify_certs_sat) doesnot exist.
2018-07-10 02:02:11.066 +0700 Warning: pan_ocsp_query_responder(pan_crl.c:2500): issuer_cert_filename(/opt/pancfg/certificates/custom-4/0/Ou+BdKZJlUSwmHN) does not exist
2018-07-10 02:07:46.649 +0700 Warning: pan_ocsp_query_responder(pan_crl.c:2494): sat_verify_certs(/opt/pancfg/certificates/ocsp-verify-ca-4/all_verify_certs_sat) doesnot exist.
2018-07-10 02:07:46.649 +0700 Warning: pan_ocsp_query_responder(pan_crl.c:2500): issuer_cert_filename(/opt/pancfg/certificates/custom-4/0/Ou+BdKZJlUSwmHN) does not exist
2018-07-10 02:07:46.649 +0700 Error: pan_ocsp_parse_response(pan_crl.c:1816): [OCSP] The result of Certificate status query is unknown for serial number[056CC7DF] and uri[http://192.168.55.20/CA/ocsp]
2018-07-10 02:07:46.649 +0700 Error: pan_ocsp_fetch_ocsp(pan_crl.c:2722): pan_ocsp_parse_response() failed
2018-07-10 02:11:23.755 +0700 Warning: pan_ocsp_query_responder(pan_crl.c:2494): sat_verify_certs(/opt/pancfg/certificates/ocsp-verify-ca-4/all_verify_certs_sat) doesnot exist.
2018-07-10 02:11:23.755 +0700 Warning: pan_ocsp_query_responder(pan_crl.c:2500): issuer_cert_filename(/opt/pancfg/certificates/custom-4/0/Ou+BdKZJlUSwmHN) does not exist
2018-07-10 02:11:23.756 +0700 Error: pan_ocsp_parse_response(pan_crl.c:1816): [OCSP] The result of Certificate status query is unknown for serial number[056CC7E0] and uri[http://192.168.55.20/CA/ocsp]
2018-07-10 02:11:23.756 +0700 Error: pan_ocsp_fetch_ocsp(pan_crl.c:2722): pan_ocsp_parse_response() failed
07-09-2018 11:03 AM
Just to make sure we're troubleshooting the right spot, did you do all of the following?
1. Created the OCSP responder on the firewall (Device tab > Certificate Management > OCSP Responder).
2. Created the certificate with that OCSP responder selected.
3. Allow connections to a dataplane interface to let OCSP respond (Network tab > Network Profiles > Interface Mgmt > Select "HTTP OCSP")
4. Have a security rule allowing the inbound OCSP requests.
Steps 1 & 2 are required to do in that order (though can be done after steps 3 & 4). If the cert was created before the OCSP responder was created, it won't work since the cert doesn't have the OCSP location present.
Steps 3 & 4 can be done in any order, but are required also.
I wrote up a document a few years ago that goes over the procedure and talks about testing it as well:
07-10-2018 12:18 AM
Hi Gwesson,
Thank you for your response. The step I missed is Commit before using the certificate. The certs are valid in OCSP now.
But I got another problem, that is when I revoke the certificate on Firewall (with commit), the OCSP cache still have the cert as valid status, not change to revoked. So that client still can authenticate to VPN. Do you have any clue about that?
07-10-2018 09:31 AM
I don't, but I'd recommend starting a new thread so your question can be seen by the whole community instead of to an answered-ish thread.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
