cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

ePO 5.10 Certificate-based Authentication Fails With OCSP/Fallback CRL Enabled

I've configured certificate-based authentication in my ePO 5.10 test environment and configured one of the user accounts with a smart card certificate.

If I manually upload a CRL and disable OCSP checking/CRL fallback checking, I can successfully login with the smart card certificate. The problem is that the manually specified CRL is only good for 2 days so I’m trying to configure the OCSP section along with CRL fallback but it does not work. 

Running certutil against the smart card certificate from the ePO server is successful for both OCSP and CRL so I don’t know why ePO fails the login when OCSP with CRL fallback is enabled.

From the Orion logs I see the following during the failure:

2019-09-09 12:09:28,360 ERROR [http-nio-8443-exec-21] ocsp.OCSPChecker  - Caught an Exception attempting to send request to OCSP server for http://ocsp.managed.entrust.com/OCSP/EMSSSPCAResponder

java.security.cert.CertPathValidatorException: Unable to verify OCSP Responder's signature

2019-09-09 12:09:28,610 ERROR [http-nio-8443-exec-21] cert.MFSCertManagerImplBase  - Error checking ocsp

java.security.cert.CertPathValidatorException: Additional certificate path checker failed.

2019-09-09 12:09:28,610 WARN  [http-nio-8443-exec-21] cert.MFSCertManagerImplBase  - OCSP Lookup Failed: java.security.cert.CertPathValidatorException: Certificate's revocation status is unknown

2019-09-09 12:09:28,610 ERROR [http-nio-8443-exec-21] cert.MFSCertManagerImplBase  - Error happened while checking ocsp status.

2019-09-09 12:09:28,610 ERROR [http-nio-8443-exec-21] cert.MFSCertManagerImplBase  - certificate chain:

2019-09-09 12:09:28,610 ERROR [http-nio-8443-exec-21] cert.MFSCertManagerImplBase  - CN=JOHN DOE,OU=XYZDepartment,O=Company,C=US

2019-09-09 12:09:28,610 ERROR [http-nio-8443-exec-21] cert.MFSCertManagerImplBase  - error checking online CRL

java.security.cert.CertPathValidatorException: No CRLs found for issuer "OU=Entrust Managed Services SSP CA, OU=Certification Authorities, O=Entrust, C=US"

Caused by: org.bouncycastle.jcajce.provider.AnnotatedException: No CRLs found for issuer "OU=Entrust Managed Services SSP CA, OU=Certification Authorities, O=Entrust, C=US"

                at org.bouncycastle.jcajce.provider.CertPathValidatorUtilities.getCompleteCRLs(Unknown Source)

                at org.bouncycastle.jcajce.provider.RFC3280CertPathUtilities.checkCRL(Unknown Source)

                at org.bouncycastle.jcajce.provider.RFC3280CertPathUtilities.checkCRLs(Unknown Source)

                ... 50 more

2019-09-09 12:09:28,610 WARN  [http-nio-8443-exec-21] servlet.LoginServlet  - Could not find valid cert :[Ljava.security.cert.X509Certificate;@9f3170a

2 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: ePO 5.10 Certificate-based Authentication Fails With OCSP/Fallback CRL Enabled

The error message above "unable to verify OCSP responder's signature", would mean that the OCSP is providing an invalid cert.

•Does the certificate contain an embedded OCSP URL?
•If so, is that URL different than the one configured on the server?
•If so, is that URL reachable?

Please validate you have set it up by instructions in PD27630.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: ePO 5.10 Certificate-based Authentication Fails With OCSP/Fallback CRL Enabled

Hi, thanks for your reply.  I've answered your questions below.

•Does the certificate contain an embedded OCSP URL?

Yes, the AIA extension of the smart card certificate contains the OCSP URL.  Here is the full output of the AIA extension from the cert:

[1]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=http://sspweb.managed.entrust.com/AIA/CertsIssuedToEMSSSPCA.p7c
[2]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=ldap://sspdir.managed.entrust.com/ou=Entrust Managed Services SSP CA,ou=Certification Authorities,o=Entrust,c=US?cACertificate;binary,crossCertificatePair;binary (ldap://sspdir.managed.entrust.com/ou=Entrust%20Managed%20Services%20SSP%20CA,ou=Certification%20Authorities,o=Entrust,c=US?cACertificate;binary,crossCertificatePair;binary)
[3]Authority Info Access
Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
Alternative Name:
URL=http://ocsp.managed.entrust.com/OCSP/EMSSSPCAResponder


•If so, is that URL different than the one configured on the server?

No, the OCSP URL in the AIA extension is the same URL referenced in the Orion error message.

•If so, is that URL reachable?

Yes, it's reachable as I was able to run Certutil -URL certname.cer from the ePO server and the OCSP responder was verified

I had reviewed pages 96-98 of PD27630 and configured accordingly.  I don't understand why certificate auth using OCSP with CRL fallback would fail when manually uploading a CRL file allows certificate auth to succeed.  Certutil -URL does not show there is any issue reaching the OCSP responder.

Thanks

Josh

 

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community