Query on OCSP signer certificate #2209
Replies: 2 comments 1 reply
-
OCSP responses have to be signed by either the CA certificate directly, by a OCSP signer certificate (with OCSPSigning extended key usage flag) that is issued by the CA, or by a self-signed OCSP signer certificate. They can't be signed by a certificate from a completely unrelated CA. |
Beta Was this translation helpful? Give feedback.
-
Thanks @tobiasbrunner . We have enabled ocsp_check in strongswan.conf and " revocation = ifuri" is set in swanctl.conf. OCSP signer certificate(OCSP signer cert) is issued by subCA1.Root certificate of this subCA1 (i.e. rootCA) is uploaded in the x509ca folder and x509ocsp folder. We observe OCSP verification is successful for device cert.
But below error is observed later
Tunnel is established.
Though the tunnel is established, why this error is observed? |
Beta Was this translation helpful? Give feedback.
-
We have enabled ocsp_check in strongswan.conf and " revocation = strict" is set in swanctl.conf.
strongswan.conf
We have uploaded "Root certificate" of the OCSP response signer certificate in the x509ca folder and x509ocsp folder.
Below error is observed during tunnel establishment
ocsp response verification failed, no signer certificate 'C=US, O=<O>, CN=<Signer CN>' found
We dont have signer certificate beforehand and it is included in the OCSP response.
Can you please clarify why OCSP response verification is failing even though the root certificate of the signer is loaded in the x509ca folder?
Beta Was this translation helpful? Give feedback.
All reactions