20,212 questions
In OCSP properties, update highlighted attributes.
OCSP handshake issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 80%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Cactus2002
10
Reputation points
I have an issue with Online Responder, configured Online Responders to check on the validity of the issued certificates in load balancing mode controlled through an external Load Balancer.
From what I can see, the Online Responder is working and giving OCSP responses from the 'certutil -url' command but failing with an unauthorized error during the handshake with OCSP service from ClearPass appliance.
Enabled OCSP logging but it did not capture any certificate verification requests including 'certutil -url'.
Any insight is greatly appreciated.
Environment:
OCSP Server: Windows 2019 server
Error:
OCSP response status: unauthorized EAP-TLS: fatal alert by server - internal_error TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed eap-tls: Error in establishing TLS session.
Windows for business | Windows Server | User experience | Other
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 36%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
thenorthstar 0 Reputation points2023-09-20T18:20:45.29+00:00 Hi Cactus2002,
We are facing this exact same problem. Have you succeeded in resolving this?
Looking forward to your response. Thanks!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 40%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
PKIMan 0 Reputation points2023-09-20T18:22:20.1133333+00:00 Cactus2002, were you able to get this resolved? We're facing the same issue.
-
thenorthstar 0 Reputation points
2023-09-21T19:04:09.1366667+00:00 Solution: Updated highlighted once as per below and the issue was resolved, and the client successfully validated the certificate.
Hi @Cactus2002 can we please get a screenshot of the settings you changed to get this to work? Thanks!
Sign in to comment
3 answers
Sort by: Most helpful
-
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 40%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Cactus2002 5 Reputation points2023-09-20T18:44:51.96+00:00 Issue: The Online Responder is working and giving OCSP responses from the 'certutil -url' command but failing with an unauthorized error during the handshake with OCSP service from ClearPass appliance.
Error: OCSP response status: unauthorized EAP-TLS: fatal alert by server - internal_error TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate: certificate verify failed eap-tls: Error in establishing TLS session.
Solution: Updated highlighted once as per below and the issue was resolved, and the client successfully validated the certificate.
-
Deleted
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
-
PKIMan 0 Reputation points
2023-09-20T19:16:09.8066667+00:00 Cactus2002, thanks for the response. But could you please elaborate? Is this something we need to configure on CA side? or CPPM?
-
thenorthstar 0 Reputation points
2023-09-20T20:28:25.3233333+00:00 Hi Cactus2002, what exactly did you update to resolve this issue? And, were the changes made from the ClearPass side or the OCSP responder side?
Your answer seems to be cut off there.
-
PKIMan 0 Reputation points
2023-09-21T14:05:44.37+00:00 So sorry to bug you Cactus2002,
Solution: Updated highlighted once as per below and the issue was resolved, and the client successfully validated the certificate.
What needs to be updated? If your post has a screenshot it's not coming up. I can't see it.
-
thenorthstar 0 Reputation points
2023-09-22T15:18:01.0066667+00:00 Hi Cactus2002,
Is this something that we need to configure or change within the Clearpass Policy Manager?
Sign in to comment -
-
Cactus2002 5 Reputation points
2023-09-23T16:25:36.69+00:00 In OCSP properties, update attributes as per below.
Hash Algorithm to SHA256
Check - Do not prompt for credentials for cryptographic operations.
Check - Enable NONCE extension support.