topic Re: Help with OCSP, few questions regarding the configuration in Endpoint

Help with OCSP, few questions regarding the configuration

796570686578 — Tue, 23 Apr 2024 15:04:36 GMT

Hello everyone,

I read the SK about implementing OCSP (https://support.checkpoint.com/results/sk/sk37803) and have a few questions.

Step 3 of the SK mentions to add the OCSP server's certificate data (Base64 encoded DER format)

- Is this the OCSPs servers' machine certificate? Or the certificate of the root CA?

- According to Windows Server Best Practice and the default certificate template for OCSP servers, they renew every 2 weeks. Do I really need to add the OCSP certificate? Is there a workaround? I know on Cisco devices you can disable the verification for OCSP Server response signing. I haven't found a corresponding setting on CP side. Can I leave the certificate empty?

- We have two OCSP servers behind a loadbalancer, if I need to specify the OCSP servers certificate, we'll run into another issue since we can only add once certificate. Do you know of any solution for that?

Any further advice/help is appreciated.

Thank you!

Re: Help with OCSP, few questions regarding the configuration

the_rock — Wed, 24 Apr 2024 02:02:31 GMT

Here is what I recall from this sk, but maybe someone else can confirm for sure.

1) Yes, its servers machine cert

2) I know customer that did end up leaving field empty and that worked, is that the right way? I cant say for sure, but it does work

3) That I honestly have no clue, but thats super valid concern, since load balancer is involved

If I were you, I would open TAC case to get an official response.

Best,

Andy

Re: Help with OCSP, few questions regarding the configuration

796570686578 — Wed, 24 Apr 2024 06:18:01 GMT

Hey Andy,

I appreciate your response.

I already had a case open but their response was "I think it is mandatory since it is a part of the steps described in the SK. It does not say whether it is mandatory or optional, so it's best to assume that it is mandatory.". (That was from an escalation engineer)

So it seems they don't know either... But if you have experience with leaving it empty, it might be possible.

Yesterday in a maintenance window, I tried to configure OCSP again and followed the SK step by step except leaving the certificate empty.

In the customers environment, only the Intermediate CA supports OCSP but the SK explicitly mentions the Root CA so I tried the following in GuiDBedit:

1. Assign OCSP server object to Root CA like mentioned in the SK

In iked.elg debugs I can see some OCSP related debugs but the verification ends with "fwCert_ValRevoke_cb: OCSP responder returned an 'unauthorized' status"
The certificate I was using is definitely not revoked(checked that with PKI team)
POST requests to /OCSP can be seen in the web server logs
My guess would be that it tries to check my certificate which is issued by the Intermediate CA, against the Root CA

2. Assign OCSP server object to Intermediate CA

Comparing the flow, I don't see any related OCSP debugs
POST requests to /OCSP are not present

Is it possible that OCSP on Intermediate CAs is not supported?

Thank you and best regards

Constantin

Re: Help with OCSP, few questions regarding the configuration

the_rock — Wed, 24 Apr 2024 11:16:56 GMT

Since I dont like to assume anything, I would not say that, but based on what customer informed me, it does work...is it officially supported, I have no clue, sorry.

Is it possible that OCSP on intermediate CA is not supported? I dont know 100% if that would be the case, but based on the research I did, appears it is doable. How, that Im not certain.

Andy