Hello,
I have been experiencing some difficulties with a certificate request to a Cisco IOS CA (IOS version 12.4(25a)).
I have made a SCEP client for the requests and it works fine with normal requests, but when i tried to request a OCSP Signing certificate (to use to sign OCSP responces) i get a Software Error resulting in a soft reboot of the IOS.
Trying different things i came to the conclusion that the OCSP NoCheck Extension ( OID: 1.3.6.1.5.5.7.48.1.5 ) makes the IOS fail and reboot itself. Every other request runs fine.
I have tried with the value of the extension in Null ( "0x05 0x00") and with no value, with no success.
When i took the "Critical" flag off the extension, the router didn't reboot, but it didn't returned a certificate i could use (the extension wasn't in the response)
Is there a "template" i need to use? any other thing I'm missing? I need this extension so that my software doesn't get in an infinite revocation check loop.
Thank you,
Juan
PS:
Extensions used in request:
- Key Usage : Signing
- Extended Key Usage : OCSP Signing ( OID: 1.3.6.1.5.5.7.3.9 )
- OCSP NoCheck Extension
Error Got:
Breakpoint exception, CPU signal 23, PC = 0x6051799C