Hello everyone,
I thought I'd inform you all about a recent discovery I wasn't aware of and might be news for some of you as well.
A few weeks ago, we wanted to configure OCSP instead of CRL to validate VPN Client Certs. After a lot of back and forth we were informed that when using a 3rd Party CA (e.g. Microsoft Windows Certificate Authority) AND if there is an OCSP endpoint configured in the certificate, the gateway will automatically verify the certificate using OCSP and not CRL. Even if you have CRL configured in your LDAP Account Unit. This behavior is currently not documented at all, at least I didn't find it anywhere and CP support confirmed that as well. So you don't need to follow https://support.checkpoint.com/results/sk/sk37803 to configure OCSP.
The worst thing is that automatic fallback to CRL is currently not working and there is no priority on fixing this issue. Support was not able to tell me an ETA on a fix. I'm surprised that there is no priority on fixing this issue since I'm sure there are quite a lot of customers using certificates with a 3rd Party CA for authentication...
Maybe if more customers ask for an ETA or RFE, they will prioritize it.
How to check if you are using OCSP or CRL:
OCSP is enabled:
[Expert@gw01:0]# ckp_regedit -p SOFTWARE/CheckPoint/VPN1 use_crl_for_revocation_method
SOFTWARE/CheckPoint/VPN1 : { CurrentVersion=[s]6.0 }
CRL is enabled:
[Expert@gw01:0]# ckp_regedit -p SOFTWARE/CheckPoint/VPN1 use_crl_for_revocation_method
SOFTWARE/CheckPoint/VPN1 : { CurrentVersion=[s]6.0 use_crl_for_revocation_method=[n]1 }
If your OCSP server is not responding, you currently have to set a parameter manaualy to switch to CRL.
Additionally, you can perform a packet capture between your gateway and CA to check whether OCSP or CRL requests are sent.
If you have any questions, feel free to ask!
Have a great day & best regards