11-24-2013 01:43 AM - edited 02-21-2020 07:20 PM
hi forum,
I have done all the configuration for cisco anyconnect using certificates and revocation check using CRL. I am successful on this. now the problem is I want to configure OCSP for revocation. I am stuck here i am not able to successfully check the revocation however configuration is just 3 lines.
crypto ca trustpoint ABC_SUBCA_TRUSTPOINT
revocation-check ocsp
enrollment terminal
ocsp disable-nonce
ocsp url http://ocsp.abc.local/ocsp
================ when client tries to login using any connect i recieve following debug messages ===================
CRYPTO_PKI: Sorted chain size is: 1
CRYPTO_PKI: Found ID cert. serial number: 123456789, subject name: c=ab,o=bc,ou=Finance,cn=TEST-USER2
CRYPTO_PKI: Verifying certificate with serial number: 4123456789, subject name: c=ab,o=bc,ou=Finance,cn=TEST-USER2, issuer_name: c=ab,o=localcompany, ou= localcompany Section,cn=sub-ca, signature alg: SHA1/RSA.
CRYPTO_PKI(Cert Lookup) issuer="c=ab,o=localcompany,ou=localcompany Section,cn=sub-ca" serial number=123456789 | C.]*R.7.
CRYPTO_PKI: Verify cert is polling for revocation status.
CRYPTO_PKI: Starting OCSP revocation
CRYPTO_PKI: no responder matching this URL; create one!
CRYPTO_PKI: http connection opened%ASA-3-717032: OCSP status check failed. Reason: OCSP Responder cert validation failed.
%ASA-3-717032: OCSP status check failed. Reason: Failed to verify OCSP response.
%ASA-3-717027: Certificate chain failed validation. Revocation status check polling failed for certificate, serial number: 123456789, subject name: c=ab,o=bc,ou=Finance,cn=TEST-USER2.
CRYPTO_PKI: OCSP response received successfully.
CRYPTO_PKI: OCSP found in-band certificate: serial number: 12345678988E3, subject name: c=ab,o=localcompany,ou=localcompany security,cn=OCSP Signer, issuer_name: c=ab,o=localcompany, ou= localcompany Section,cn=sub-ca
CRYPTO_PKI: OCSP found in-band certificate: serial number: 1234567890B6D, subject name: c=abc,o=localcompany,ou=localcompany Section,cn=sub-ca, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn= Root CA
CRYPTO_PKI: OCSP found in-band certificate: serial number: 123456789FE02, subject name: c=abc,o=localcompany,ou=localcompany Section,cn=Root CA, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn=Root CA
CRYPTO_PKI: OCSP responderID byKeyHash
CRYPTO_PKI: OCSP response contains 1 cert singleResponses responseData sequence.
Found response for request certificate!
CRYPTO_PKI: Verifying OCSP response with 3 certs in the responder chain
CRYPTO_PKI: Validating OCSP response using trusted CA cert: serial number: 123456789DBC24, subject name: c=abc,o=localcompany,ou=localcompany Section,cn=SUB-CA, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn=Root CA
CRYPTO_PKI: Searching for ResponderID cert by keyhash
CRYPTO_PKI: Validating OCSP responder certificate: serial number: 12345678988E3, subject name: c=abc,o=localcompany,ou=localcompany security,cn=OCSP Signer, issuer_name: c=abc,o=localcompany,ou=localcompany Section,cn=SUB-CA , signature alg: SHA1/RSA
CRYPTO_PKI: verifyResponseSig:3111
CRYPTO_PKI: OCSP Responder cert validation failed -1
CRYPTO_PKI: Failed to verify response - invalid status being returned -1
CRYPTO_PKI: failed to verify OCSP response - -1
CRYPTO_PKI: transaction GetOCSP completed
CRYPTO_PKI: Process next cert in chain entered with status: 7.
CRYPTO_PKI: Process next cert, Invalid or CRL get failed.status: 7
CRYPTO_PKI: Calling callback with chain validation status: 7.
11-29-2013 12:47 AM
Hello John,
It looks like ASA is trying to check CRL for your OCSP responder certificate.
Are you sure you have the correct extension in your OCSP responder certificate:
OCSP no revocation checking
That extension will tell ASA not to check revocation list for your OSCP responder certificate
(without that we are trying to eat our own tail).
That extension is attached automatically if you have used template "OCSP Response Signing" (when generating cert on Microsoft OSCP responder)
Also please make sure that OCSP responder cert is trusted by ASA (signed by the CA which is installed on ASA)
Example can be found in this article:
http://www.cisco.com/en/US/products/ps12726/products_configuration_example09186a0080c1ea59.shtml
04-28-2016 06:56 AM
Hi john.ebrahim83,
Are you able to fix the issue? Is it truly the issue with OCSP responder certificate?
Thanks,
Tao
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: