Hi,
OCSP verification configured in a Certificate Profile on my Palo Alto 3020 doesn't seems to work.
My GlobalProtect configuration with pre-logon is working with machine certificate but when I want to see the status of the OCSP cache on the Palo, I've an unavailable status :
debug sslmgr view ocsp all
Current time is: Thu Feb 2 10:21:28 2017
Count Serial Number (HEX) Status Next Update Revocation Time Reason
Issuer Name Hash
OCSP Responder URL
------- ---------------------------------------- ----------- ------------------------ ------------------------ ----------
[ 1] 44000001565A923152F9A9E91A000000000156 unavailable Feb 02 08:20:44 2017 GMT
Here is the error in the sslmgr.log :
2017-02-02 11:42:30.124 +0100 Warning: pan_ocsp_query_responder(pan_crl.c:2039): sat_verify_certs(/opt/pancfg/certificates/ocsp-verify-ca-4/all_verify_certs_sat) doesnot exist.
2017-02-02 11:42:30.125 +0100 Error: pan_ocsp_parse_response(pan_crl.c:1460): [OCSP] The result of Certificate status query is unavailable for serial number[440000056D26FE31762285F22F00000000056D] and uri[http://ocsp.dummy.com/ocsp]
2017-02-02 11:42:30.125 +0100 Error: pan_ocsp_fetch_ocsp(pan_crl.c:2287): pan_ocsp_parse_response() failed
Yes, I've activated the NONCE support on my Microsoft OCSP Responder as mentionned here :
I've done a capture on the firewall and I see the packets OCSP Request and OCSP Response but Palo Alto
Idea anyone ?
