Hello community!

I wanted to ask some doubts we are facing during the re-design of remote access service with one customer. The goal is to provide MFA. One factor is RADIUS and working fine, This is a cluster of 2 X 1800 on R81.10.08 centrally managed, mgmt version is R81.20 jumbo 41. 

For the other factor we are trying certificates. With certs created from the mgmt it works perfectly, but customer needs to use certificates from an existing CA (it is not the AD). The certificates are already deployed on the clients, but when we try to use that cert we get an error certificate invalid on the client, and logs on mgmt show "OCSP: could not connect to server. Make sure the server is up and running."

We already have created CA and subCA objects on mgmt, also i can see traffic on port 80 from the gateway to the CA server, i think trying to validate the cert.

Is it mandatory to use OSCP to validate certificates from the CA? or we have other options?

The cert CN is username@domain, is there any configuration to make the gateway only reads the username portion?

 is there anything else we should do on checkpoint side? customer already asked the CA admin to check if OSCP is enabled on the server, but wanted to see if i am missing something.

Regards