OCSP Signing Certificate Request problem

Unanswered Question
Jun 10th, 2009


I have been experiencing some difficulties with a certificate request to a Cisco IOS CA (IOS version 12.4(25a)).

I have made a SCEP client for the requests and it works fine with normal requests, but when i tried to request a OCSP Signing certificate (to use to sign OCSP responces) i get a Software Error resulting in a soft reboot of the IOS.

Trying different things i came to the conclusion that the OCSP NoCheck Extension ( OID: ) makes the IOS fail and reboot itself. Every other request runs fine.

I have tried with the value of the extension in Null ( "0x05 0x00") and with no value, with no success.

When i took the "Critical" flag off the extension, the router didn't reboot, but it didn't returned a certificate i could use (the extension wasn't in the response)

Is there a "template" i need to use? any other thing I'm missing? I need this extension so that my software doesn't get in an infinite revocation check loop.

Thank you,



Extensions used in request:

- Key Usage : Signing

- Extended Key Usage : OCSP Signing ( OID: )

- OCSP NoCheck Extension

Error Got:

Breakpoint exception, CPU signal 23, PC = 0x6051799C

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

There are two models to implement OCSP. Direct Trust Model and Delegated Trust Model. The Direct Trust Model is where the client trusts the OCSP server authority directly, without requiring third party CA authentication for the OCSP server's certificate. In the Delegated Trust Mode, the OCSP server generates a public/private key pair, and sends the public key with a

certificate signing request to a CA. The CA issues a certificate (that it signs), incorporates the OCSP server public key.

In the "direct trust model" scenario, the OCSP server cert must be provisioned on the router prior to OCSP being used. With "Validate OCSP server cert from an alternative PKI hierarchy", you should be able to create a trustpoint representing the OCSP server itself, and authenticate it -- this is how you'll provision the server cert on the router.


This Discussion