Certificate revocation / OCSP not working

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Certificate revocation / OCSP not working

L0 Member

I've set up one of our PAs (a 5260 running 10.1.6-h3) to use as a certificate authority and OCSP responder for use with GlobalProtect remote access. I'm able to issue and verify certificates with no problem, but revoking a client certificate has no effect on whether the  able to connect. I'm able to browse to http://<PA IP>/CA/ocsp, but the browser downloads a 0kb file and the device doesn't appear to be updating this revocation information. Do I need to do something else to have the firewall validate this cert?


Does the firewall generate the OCSP request from its own management interface, or the interface it's doing the GlobalProtect auth on? I have the service listener set up on the Management interface but that wouldn't be accessible from the outside if that's the case.

Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.

L4 Transporter

I believe it uses whatever interface you define in the OCSP responder section. Is that where you've defined the management interface?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!