This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
796570686578
Collaborator
‎2024-04-23 08:04 AM

Help with OCSP, few questions regarding the configuration

Hello everyone,

 

I read the SK about implementing OCSP (https://support.checkpoint.com/results/sk/sk37803) and have a few questions.

 

Step 3 of the SK mentions to add the OCSP server's certificate data (Base64 encoded DER format)

- Is this the OCSPs servers' machine certificate? Or the certificate of the root CA?

- According to Windows Server Best Practice and the default certificate template for OCSP servers, they renew every 2 weeks. Do I really need to add the OCSP certificate? Is there a workaround? I know on Cisco devices you can disable the verification for OCSP Server response signing. I haven't found a corresponding setting on CP side. Can I leave the certificate empty?

- We have two OCSP servers behind a loadbalancer, if I need to specify the OCSP servers certificate, we'll run into another issue since we can only add once certificate. Do you know of any solution for that?

Any further advice/help is appreciated.

Thank you!

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2024-04-23 07:02 PM

Here is what I recall from this sk, but maybe someone else can confirm for sure.

1) Yes, its servers machine cert

2) I know customer that did end up leaving field empty and that worked, is that the right way? I cant say for sure, but it does work

3) That I honestly have no clue, but thats super valid concern, since load balancer is involved

If I were you, I would open TAC case to get an official response.

Best,

Andy

796570686578
Collaborator
‎2024-04-23 11:18 PM
In response to the_rock

Hey Andy, 

I appreciate your response. 

I already had a case open but their response was "I think it is mandatory since it is a part of the steps described in the SK. It does not say whether it is mandatory or optional, so it's best to assume that it is mandatory.".  (That was from an escalation engineer)

So it seems they don't know either... But if you have experience with leaving it empty, it might be possible.

 

Yesterday in a maintenance window, I tried to configure OCSP again and followed the SK step by step except leaving the certificate empty.

In the customers environment, only the Intermediate CA supports OCSP but the SK explicitly mentions the Root CA so I tried the following in GuiDBedit:

1. Assign OCSP server object to Root CA like mentioned in the SK

  • In iked.elg debugs I can see some OCSP related debugs but the verification ends with "fwCert_ValRevoke_cb: OCSP responder returned an 'unauthorized' status"
  • The certificate I was using is definitely not revoked(checked that with PKI team)
  • POST requests to /OCSP can be seen in the web server logs
  • My guess would be that it tries to check my certificate which is issued by the Intermediate CA, against the Root CA

2. Assign OCSP server object to Intermediate CA

  • Comparing the flow, I don't see any related OCSP debugs
  • POST requests to /OCSP are not present

 

Is it possible that OCSP on Intermediate CAs is not supported?

 

Thank you and best regards

Constantin

0 Kudos
the_rock
Legend
Legend
‎2024-04-24 04:16 AM
In response to 796570686578

Since I dont like to assume anything, I would not say that, but based on what customer informed me, it does work...is it officially supported, I have no clue, sorry.

Is it possible that OCSP on intermediate CA is not supported? I dont know 100% if that would be the case, but based on the research I did, appears it is doable. How, that Im not certain.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events