Layer7 API Management

  • Private Community

  • 1.  How to validate user certificate using a CRL?

    Posted Feb 13, 2017 04:29 PM

    We tried below options:

    1. Thru Manage Certificates / Certificate Validations. In this case we are not seeing any attempt to validate user certs in ssg logs or audit logs. This doesn't seem to work as we do not have use cert in AD / LDAP and do not authenticate using entire cert.

    2. Using combination of "Lookup Certificate" & "Validate Certificate" policy assertions. Is our understanding correct in assuming that Lookup Certificate assertion actually loads the user cert against the defined output variable name? This option is giving the below error:

     

    Certificate CN=*****, DC=****, DC=***** validation (REVOCATION) failed with status: CANT_BUILD_PATH

    Unable to build path for certificate CN=*****, DC=****, DC=***** : Unable to find valid certification path to requested target.

     

    Any pointers to the right direction would be appreciated.

     

    -arun



  • 2.  Re: How to validate user certificate using a CRL?

    Posted Feb 16, 2017 04:19 PM

    We regenerated user certs as well as Trusted certs as a chain (PKCS #7) and tested with them. No we are getting this error. Anyone any clue?

     


                            assertion="l7p:ValidateCertificate" status="Assertion Falsified">
                            <l7:detailMessage id="2042">Using static CRL URL: http://SOAcrl.domain.com/crldsubca/server1-SCA.crl</l7:detailMessage>
                            <l7:detailMessage id="2052">CRL cache for http://SOAcrl.domain.com/crldsubca/server1-SCA.crl refresh due at Thu Feb 16 21:09:19 GMT 2017; using cache</l7:detailMessage>
                            <l7:detailMessage id="2070">CRL scope does not cover certificate 'CN=domain, DC=env1, DC=env2', CRL URL is 'http://SOAcrl.domain.com/crldsubca/server1-SCA.crl'</l7:detailMessage>
                            <l7:detailMessage id="2034">Unable to build path for Certificate CN=domain, DC=env1, DC=env2: unable to find valid certification path to requested target; related error(s) [Revocation check failed for certificate 'CN=domain, DC=env1, DC=env2'.]</l7:detailMessage>
                            <l7:detailMessage id="10001">Certificate CN=domain, DC=env1, DC=env2 validation (REVOCATION) failed with status: CANT_BUILD_PATH</l7:detailMessage>
                     



  • 3.  Re: How to validate user certificate using a CRL?
    Best Answer

    Broadcom Employee
    Posted Apr 22, 2017 10:13 AM

    Arun,

     

    After reading your post, I want to make sure that an understanding is established around the Look Up Certificate. This assertion will draw a certificate stored in the Manage Certificates menu for trusted certificates. If this is what you are looking to do then lets proceed to review the error. When the gateway is unable to build the certificate path means that the signer of the certificate being reviewed is not added to the Manager Certificates and has the validation option "Certificate is a Trust Anchor" checked.

     

    When you add in CRL or OCSP check, the Certificate Validation of the Manage Certificate menu needs to be configured as it is not enabled by default even though the option on the assertion is set. In addition, the certificate that signed the certificate used for CRL/OCSP signing needs to also be trusted on the gateway in the same way that we did above with the "Certificate is a Trust Anchor" option.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 4.  Re: How to validate user certificate using a CRL?

    Posted Apr 24, 2017 11:33 AM

    Hello Stephen,

     

    Thanks for the reply. This issue with revocation checking using a CRL is resolved with the help of CA support. Thanks!

     

    -arun



  • 5.  Re: How to validate user certificate using a CRL?

    Posted Mar 21, 2018 08:28 AM

    Arun,

    Can you please share resolution steps that CA support took to resolve the issue .

     

    Thanks!

    Prashant Srivastava



  • 6.  Re: How to validate user certificate using a CRL?

    Posted Jan 23, 2018 11:24 AM

    Hello Stephen/Arun,

     

    Actually same issue I am also facing , need to validate CRL against user ,but after enabling we can see it failing for valid cert/user as well. We have set clusterwide property pkix.validation.other ,pkix.validation.routing and pkix.validation.identityProvider to control revocation checking for Identity provider ,routing and other.I have set all three attribute value as revocation using restman.

     

    .Can you please share us complete info , what CA recommended on this issue.

     

    FYI error :

     

    Error message :

     

    2018-01-23T07:35:49.644+0100 INFO 772 com.l7tech.server.policy.assertion.ServerSslAssertion: 4114: Found client

    certificate for CN=******S***** CA 1, OU=** 017, OU=CA, O=***, C=XX

    2018-01-23T07:35:49.644+0100 WARNING 772 com.l7tech.server.identity.fed.FederatedIdentityProviderImpl: 2034: Unable

    to build path for Certificate CN=Prashant SrivastavaOU=people, OU=CA, O=***, C=XX: unable to find val

    id certification path to requested target; related error(s) [Revocation check failed for certificate'CN=Prashant S

    rivastava (XX), OU=people, OU=XX, O=XX, C=XX.]



  • 7.  Re: How to validate user certificate using a CRL?

    Broadcom Employee
    Posted Jan 23, 2018 04:22 PM

    Prashant,

     

    From reviewing the case the primary driver was not around the error that you are seeing. The issue tends to lead into trusting the certificate that signed the CRL or the OCSP and that the right trust anchor certificate is set in Manage Certificates.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support