I have been experiencing some difficulties with a certificate request to a Cisco IOS CA (IOS version 12.4(25a)).
I have made a SCEP client for the requests and it works fine with normal requests, but when i tried to request a OCSP Signing certificate (to use to sign OCSP responces) i get a Software Error resulting in a soft reboot of the IOS.
Trying different things i came to the conclusion that the OCSP NoCheck Extension ( OID: 126.96.36.199.188.8.131.52.1.5 ) makes the IOS fail and reboot itself. Every other request runs fine.
I have tried with the value of the extension in Null ( "0x05 0x00") and with no value, with no success.
When i took the "Critical" flag off the extension, the router didn't reboot, but it didn't returned a certificate i could use (the extension wasn't in the response)
Is there a "template" i need to use? any other thing I'm missing? I need this extension so that my software doesn't get in an infinite revocation check loop.
There are two models to implement OCSP. Direct Trust Model and Delegated Trust Model. The Direct Trust Model is where the client trusts the OCSP server authority directly, without requiring third party CA authentication for the OCSP server's certificate. In the Delegated Trust Mode, the OCSP server generates a public/private key pair, and sends the public key with a
certificate signing request to a CA. The CA issues a certificate (that it signs), incorporates the OCSP server public key.
In the "direct trust model" scenario, the OCSP server cert must be provisioned on the router prior to OCSP being used. With "Validate OCSP server cert from an alternative PKI hierarchy", you should be able to create a trustpoint representing the OCSP server itself, and authenticate it -- this is how you'll provision the server cert on the router.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...