AnsweredAssumed Answered

How to validate user certificate using a CRL?

Question asked by Arun.Addepalli on Feb 13, 2017
Latest reply on Mar 21, 2018 by Prashant0384

Like • Show 0 Likes0
Comment • 6

We tried below options:

1. Thru Manage Certificates / Certificate Validations. In this case we are not seeing any attempt to validate user certs in ssg logs or audit logs. This doesn't seem to work as we do not have use cert in AD / LDAP and do not authenticate using entire cert.

2. Using combination of "Lookup Certificate" & "Validate Certificate" policy assertions. Is our understanding correct in assuming that Lookup Certificate assertion actually loads the user cert against the defined output variable name? This option is giving the below error:

Certificate CN=*****, DC=****, DC=***** validation (REVOCATION) failed with status: CANT_BUILD_PATH

Unable to build path for certificate CN=*****, DC=****, DC=***** : Unable to find valid certification path to requested target.

Any pointers to the right direction would be appreciated.

-arun

Stephen_Hughes

Apr 22, 2017 2:12 PM

Correct Answer

Arun,

After reading your post, I want to make sure that an understanding is established around the Look Up Certificate. This assertion will draw a certificate stored in the Manage Certificates menu for trusted certificates. If this is what you are looking to do then lets proceed to review the error. When the gateway is unable to build the certificate path means that the signer of the certificate being reviewed is not added to the Manager Certificates and has the validation option "Certificate is a Trust Anchor" checked.

When you add in CRL or OCSP check, the Certificate Validation of the Manage Certificate menu needs to be configured as it is not enabled by default even though the option on the assertion is set. In addition, the certificate that signed the certificate used for CRL/OCSP signing needs to also be trusted on the gateway in the same way that we did above with the "Certificate is a Trust Anchor" option.

Sincerely,

Stephen Hughes

Director, CA Support

See the reply in context

No one else had this question

Outcomes

Arun.Addepalli Feb 16, 2017 9:18 PM

We regenerated user certs as well as Trusted certs as a chain (PKCS #7) and tested with them. No we are getting this error. Anyone any clue?

                        assertion="l7p:ValidateCertificate" status="Assertion Falsified">
                        <l7:detailMessage id="2042">Using static CRL URL: http://SOAcrl.domain.com/crldsubca/server1-SCA.crl</l7:detailMessage>
                        <l7:detailMessage id="2052">CRL cache for http://SOAcrl.domain.com/crldsubca/server1-SCA.crl refresh due at Thu Feb 16 21:09:19 GMT 2017; using cache</l7:detailMessage>
                        <l7:detailMessage id="2070">CRL scope does not cover certificate 'CN=domain, DC=env1, DC=env2', CRL URL is 'http://SOAcrl.domain.com/crldsubca/server1-SCA.crl'</l7:detailMessage>
                        <l7:detailMessage id="2034">Unable to build path for Certificate CN=domain, DC=env1, DC=env2: unable to find valid certification path to requested target; related error(s) [Revocation check failed for certificate 'CN=domain, DC=env1, DC=env2'.]</l7:detailMessage>
                        <l7:detailMessage id="10001">Certificate CN=domain, DC=env1, DC=env2 validation (REVOCATION) failed with status: CANT_BUILD_PATH</l7:detailMessage>

Actions

Stephen_Hughes

Apr 22, 2017 2:12 PM

Arun,

Sincerely,

Stephen Hughes

Director, CA Support

1 person found this helpful

Actions

Arun.Addepalli @ Stephen_Hughes on Apr 24, 2017 3:33 PM

Hello Stephen,

Thanks for the reply. This issue with revocation checking using a CRL is resolved with the help of CA support. Thanks!

-arun

Actions

Prashant0384 @ Arun.Addepalli on Mar 21, 2018 12:28 PM

Arun,

Can you please share resolution steps that CA support took to resolve the issue .

Thanks!

Prashant Srivastava

Actions

Prashant0384 Jan 23, 2018 4:23 PM

Hello Stephen/Arun,

Actually same issue I am also facing , need to validate CRL against user ,but after enabling we can see it failing for valid cert/user as well. We have set clusterwide property pkix.validation.other ,pkix.validation.routing and pkix.validation.identityProvider to control revocation checking for Identity provider ,routing and other.I have set all three attribute value as revocation using restman.

.Can you please share us complete info , what CA recommended on this issue.

FYI error :

Error message :

2018-01-23T07:35:49.644+0100 INFO 772 com.l7tech.server.policy.assertion.ServerSslAssertion: 4114: Found client

certificate for CN=******S***** CA 1, OU=** 017, OU=CA, O=***, C=XX

2018-01-23T07:35:49.644+0100 WARNING 772 com.l7tech.server.identity.fed.FederatedIdentityProviderImpl: 2034: Unable

to build path for Certificate CN=Prashant SrivastavaOU=people, OU=CA, O=***, C=XX: unable to find val

id certification path to requested target; related error(s) [Revocation check failed for certificate'CN=Prashant S

rivastava (XX), OU=people, OU=XX, O=XX, C=XX.]

Actions

Stephen_Hughes

@ Prashant0384 on Jan 23, 2018 9:21 PM

Prashant,

From reviewing the case the primary driver was not around the error that you are seeing. The issue tends to lead into trusting the certificate that signed the CRL or the OCSP and that the right trust anchor certificate is set in Manage Certificates.

Sincerely,

Stephen Hughes

Director, CA Support

Actions

6 Replies

Arun.Addepalli Feb 16, 2017 9:18 PM
Mark Correct
Correct Answer
We regenerated user certs as well as Trusted certs as a chain (PKCS #7) and tested with them. No we are getting this error. Anyone any clue?

                        assertion="l7p:ValidateCertificate" status="Assertion Falsified">
                        <l7:detailMessage id="2042">Using static CRL URL: http://SOAcrl.domain.com/crldsubca/server1-SCA.crl</l7:detailMessage>
                        <l7:detailMessage id="2052">CRL cache for http://SOAcrl.domain.com/crldsubca/server1-SCA.crl refresh due at Thu Feb 16 21:09:19 GMT 2017; using cache</l7:detailMessage>
                        <l7:detailMessage id="2070">CRL scope does not cover certificate 'CN=domain, DC=env1, DC=env2', CRL URL is 'http://SOAcrl.domain.com/crldsubca/server1-SCA.crl'</l7:detailMessage>
                        <l7:detailMessage id="2034">Unable to build path for Certificate CN=domain, DC=env1, DC=env2: unable to find valid certification path to requested target; related error(s) [Revocation check failed for certificate 'CN=domain, DC=env1, DC=env2'.]</l7:detailMessage>
                        <l7:detailMessage id="10001">Certificate CN=domain, DC=env1, DC=env2 validation (REVOCATION) failed with status: CANT_BUILD_PATH</l7:detailMessage>
Like • Show 0 Likes0
Actions
Stephen_Hughes Apr 22, 2017 2:12 PM
Unmark Correct
Correct Answer
Arun,

After reading your post, I want to make sure that an understanding is established around the Look Up Certificate. This assertion will draw a certificate stored in the Manage Certificates menu for trusted certificates. If this is what you are looking to do then lets proceed to review the error. When the gateway is unable to build the certificate path means that the signer of the certificate being reviewed is not added to the Manager Certificates and has the validation option "Certificate is a Trust Anchor" checked.

When you add in CRL or OCSP check, the Certificate Validation of the Manage Certificate menu needs to be configured as it is not enabled by default even though the option on the assertion is set. In addition, the certificate that signed the certificate used for CRL/OCSP signing needs to also be trusted on the gateway in the same way that we did above with the "Certificate is a Trust Anchor" option.

Sincerely,

Stephen Hughes
Director, CA Support
1 person found this helpful
Like • Show 1 Like1
Actions
- Arun.Addepalli @ Stephen_Hughes on Apr 24, 2017 3:33 PM
  Mark Correct
  Correct Answer
  Hello Stephen,
  
  Thanks for the reply. This issue with revocation checking using a CRL is resolved with the help of CA support. Thanks!
  
  -arun
  Like • Show 0 Likes0
  Actions
  - Prashant0384 @ Arun.Addepalli on Mar 21, 2018 12:28 PM
    Mark Correct
    Correct Answer
    Arun,
    Can you please share resolution steps that CA support took to resolve the issue .
    
    Thanks!
    Prashant Srivastava
    Like • Show 0 Likes0
    Actions
Prashant0384 Jan 23, 2018 4:23 PM
Mark Correct
Correct Answer
Hello Stephen/Arun,

Actually same issue I am also facing , need to validate CRL against user ,but after enabling we can see it failing for valid cert/user as well. We have set clusterwide property pkix.validation.other ,pkix.validation.routing and pkix.validation.identityProvider to control revocation checking for Identity provider ,routing and other.I have set all three attribute value as revocation using restman.

.Can you please share us complete info , what CA recommended on this issue.

FYI error :

Error message :

2018-01-23T07:35:49.644+0100 INFO 772 com.l7tech.server.policy.assertion.ServerSslAssertion: 4114: Found client
certificate for CN=******S***** CA 1, OU=** 017, OU=CA, O=***, C=XX
2018-01-23T07:35:49.644+0100 WARNING 772 com.l7tech.server.identity.fed.FederatedIdentityProviderImpl: 2034: Unable
to build path for Certificate CN=Prashant SrivastavaOU=people, OU=CA, O=***, C=XX: unable to find val
id certification path to requested target; related error(s) [Revocation check failed for certificate'CN=Prashant S
rivastava (XX), OU=people, OU=XX, O=XX, C=XX.]
Like • Show 0 Likes0
Actions
- Stephen_Hughes @ Prashant0384 on Jan 23, 2018 9:21 PM
  Mark Correct
  Correct Answer
  Prashant,
  
  From reviewing the case the primary driver was not around the error that you are seeing. The issue tends to lead into trusting the certificate that signed the CRL or the OCSP and that the right trust anchor certificate is set in Manage Certificates.
  
  Sincerely,
  
  Stephen Hughes
  Director, CA Support
  Like • Show 1 Like1
  Actions

How to validate user certificate using a CRL?

Outcomes

Related Content

Recommended Content

Incoming Links