Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1628
Views
0
Helpful
1
Replies

OCSP Signing Certificate Request problem

jestrada.uy
Level 1
Level 1

‎06-10-2009 01:14 PM - edited ‎03-09-2019 10:21 PM

Hello,

I have been experiencing some difficulties with a certificate request to a Cisco IOS CA (IOS version 12.4(25a)).

I have made a SCEP client for the requests and it works fine with normal requests, but when i tried to request a OCSP Signing certificate (to use to sign OCSP responces) i get a Software Error resulting in a soft reboot of the IOS.

Trying different things i came to the conclusion that the OCSP NoCheck Extension ( OID: 1.3.6.1.5.5.7.48.1.5 ) makes the IOS fail and reboot itself. Every other request runs fine.

I have tried with the value of the extension in Null ( "0x05 0x00") and with no value, with no success.

When i took the "Critical" flag off the extension, the router didn't reboot, but it didn't returned a certificate i could use (the extension wasn't in the response)

Is there a "template" i need to use? any other thing I'm missing? I need this extension so that my software doesn't get in an infinite revocation check loop.

Thank you,

Juan

PS:

Extensions used in request:

- Key Usage : Signing

- Extended Key Usage : OCSP Signing ( OID: 1.3.6.1.5.5.7.3.9 )

- OCSP NoCheck Extension

Error Got:

Breakpoint exception, CPU signal 23, PC = 0x6051799C

Labels:
0 Helpful
1 Reply 1

wong34539
Level 6
Level 6

‎06-16-2009 12:58 PM

There are two models to implement OCSP. Direct Trust Model and Delegated Trust Model. The Direct Trust Model is where the client trusts the OCSP server authority directly, without requiring third party CA authentication for the OCSP server's certificate. In the Delegated Trust Mode, the OCSP server generates a public/private key pair, and sends the public key with a

certificate signing request to a CA. The CA issues a certificate (that it signs), incorporates the OCSP server public key.

In the "direct trust model" scenario, the OCSP server cert must be provisioned on the router prior to OCSP being used. With "Validate OCSP server cert from an alternative PKI hierarchy", you should be able to create a trustpoint representing the OCSP server itself, and authenticate it -- this is how you'll provision the server cert on the router.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents