Client or Device certificate authentication failed with ocsp responder
Article ID: CTX261727
Updated On:
Description
Client or Device cert authentication is used and OCSP is set to mandatory for the CA Cert.
In spite of having a valid cert, client was not able to authenticate.
Authentication works if OCSP is set to Optional.
Resolution
The solution here is to ensure ADCs and the OCSP server's time are in sync.
OCSP responses are time-stamped, if the validity period in the ocsp response lies outside the current time (+/- 5 mins default skew) on ADC the OCSP response is not considered valid. This timestamp validity check did not exist in 11.0 but does exist on higher versions.
Problem Cause
After analyzing the traces it was observed that OCSP response did successfully validate the client cert but despite that the client side connection was reset (reset code 9300). Deeper investigation revealed that there was a timer mismatch, on ADC the time was incorrect.OCSP responses are time-stamped, if the validity period in the ocsp response lies outside the current time (+/- 5 mins default skew) on ADC the OCSP response is not considered valid. This timestamp validity check did not exist in 11.0 but does exist on higher versions.
Was this article helpful?
Yes
No
Powered by
