OCSP Revocation Checking does not work as expected
search cancel

OCSP Revocation Checking does not work as expected

book

Article ID: 232070

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We have a  problem in our environment regarding the revocation checking of a specific certificate.

I have 2 revocation checking policies configured;
1) CRL from certificate URL 
2) OCSP (Default) from certificate URL 

The few certificates that do not contain an OCSP URI are configured to use the CRL checking policy.
For the certificate which is signed by "Sectigo RSA Organization Validation Secure Server CA" I see a warning in the logging each time:

2021-11-03T08:19:58,054+0100 WARNING 1083 com.l7tech.server.transport.http.SslClientTrustManager: Error during OCSP check for responder 'http://ocsp.sectigo.com': OCSP nonce was required but not present in the response message

I have looked up some things about a missing nonce in the response message and I think it is simply because sectigo does not send it in the headers.

That's why we set the validation for this certificate to CRL checking and even disabled it, but the error message keeps appearing in the logging.
Only when I set the default revocation checking to CRL the message does not appear in the logging anymore.

 

Environment

Release : 10.0

Component : API GATEWAY

Resolution

 

To  reproduce this error  connect to a backend which using  a cert which is issued by Sectigo the  issuer should be 'CN=Sectigo RSA Organization Validation Secure Server.

The ocsp url for the  leafcertificate is indeed 'http://ocsp.sectigo.com which is mentioned in the error  and if you do a OCSP check and require a nonce it is responding but without the nonce in the reply . 

2021-12-30T13:42:40.156+0100 WARNING 806 com.l7tech.server.transport.http.SslClientTrustManager: Error during OCSP check for responder 'http://ocsp.sectigo.com': OCSP nonce was required but not present in the response message

The gateway  takes the OCSP  URL from leaf certificate but is using the revoke policy from the intermediate certificate when this is the anchor certificate.

If your default OCSP policy is to require a nonce it will fail on this revocation check !

If you set the intermediate certificate  in this case "Sectigo RSA Organization Validation Secure Server" . to be the trust anchor and set the default policy to be CLR it works .

The other option it to create another OSCP policy which does not use nonce and assign this policy to this intermediate certificate .

Powered by Wolken Software