Error: “Two certs issued by different CA, have the same OCSP AIA found.” on NetScaler

book

Article ID: CTX227241

calendar_today

Updated On:

Description

When installing a new certificate on NetScaler either via the CLI or GUI, the following error is displayed:
Two certs issued by different CA, have the same OCSP AIA found. This is not supported

Looking at the details of the certificates, they should look like the below:

CA: Intermediate CA 1
[1]Authority Info Access
     Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
     Alternative Name:
          URL=http://ocsp.example.com
[2]Authority Info Access
     Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
     Alternative Name:
          URL=http://crt.example.com/crt/IntermediateCA1.cer

CA: Intermediate CA 2
[1]Authority Info Access
     Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
     Alternative Name:
          URL=http://ocsp.example.com
[2]Authority Info Access
     Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
     Alternative Name:
          URL=http://crt.example.com/crt/IntermediateCA2.cer

Resolution

To resolve this issue, remove old certificate with duplicate AIA extensions.

You can find the cert-key pairs that contain the duplicate AIA extensions, by running the following commands from NetScaler shell:
for i in /nsconfig/ssl/*.c*r?; do out="$(openssl x509 -in $i -noout -ocsp_uri)";if [ ${#out} -gt 1 ] ;then echo "$i $out";fi;done

This will parse all files with extension crt, cert, cer and output the files and OCSP value, if found.

The following is a sample output:
root@ns# for i in /nsconfig/ssl/*.c*r?; do out="$(openssl x509 -in $i -noout -ocsp_uri)";if [ ${#out} -gt 1 ] ;then echo "$i $out";fi;done
/nsconfig/ssl/certificate1.crt http://ocsp.example.net
/nsconfig/ssl/certificate2.crt http://ocsp.example.net

Problem Cause

Certificates with duplicate AIA extensions, from different CA's (possibly different Intermediates from the same root CA).

From NetScaler 11.1 55.x and 12.0-53.x, a new security feature has been added to stop users adding Certificates with duplicate AIA extensions. When these are added to the NetScaler, it can cause OCSP Request failures for the OCSP Stapling feature and other security concerns.

This is being reviewed under issue ID 694395. The issue fixed in version in 11.1 55.13 or above and in 12.0 53.13 or above

This will not occur in NetScaler builds earlier to 11.1 55.x and 12.0-53.x.

Issue/Introduction

When installing a new certificate on NetScaler either via the CLI or GUI, the following error is displayed: Two certs issued by different CA, have the same OCSP AIA found. This is not supported

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"