https://community.cisco.com/t5/network-access-control/ocsp-certificate-chain/m-p/5367832#M599729 <P>Hi,</P> <P>&nbsp; &nbsp;&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/347992">@craiglebutt</a>&nbsp;Can you confirm that&nbsp;<STRONG>OCSP Client Profile&nbsp;</STRONG>and&nbsp;<STRONG>Certificate Status Validation&nbsp;</STRONG>steps have been properly configured? Use following document as a guide.</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; Within same document, you'll find instructions on how to enable runtime-aaa debugging and get the outputs from<STRONG>&nbsp;prrt-server.log</STRONG>, as well as perform packet capture. Post the logs and packet capture, this would help to identify the root cause. Ensure to enable debug logging for a limited time windows, as it has impact on ISE performance:</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/222150-configure-eap-tls-authentication-with-oc.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/222150-configure-eap-tls-authentication-with-oc.html</A></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html</A></P> <P>Thanks,</P> <P>Cristian.</P> Thu, 05 Feb 2026 10:11:34 GMT Cristian Matei 2026-02-05T10:11:34Z https://community.cisco.com/t5/network-access-control/ocsp-certificate-chain/m-p/5367825#M599727 <P>Hi</P><P>Have 6 Nodes 2 PAN, 4 PSN, the OCSP certificate has an issue with the chain on the first responder, in this case call int PAN2.</P><P>PAN2 chain is in complete.</P><P>I'm guessing that the other nodes OCSP Responder looks at the first PAN but their certificates don't match.</P><P>5 of the nodes have the same chain.</P><P>So when trying to onboard it doesn't work.</P><P>Have logged a call with TAC, over a week ago, but they are making me swear.</P><P>Not sure how to fix this.</P><P>Cheers</P> Thu, 05 Feb 2026 09:09:24 GMT https://community.cisco.com/t5/network-access-control/ocsp-certificate-chain/m-p/5367825#M599727 craiglebutt 2026-02-05T09:09:24Z https://community.cisco.com/t5/network-access-control/ocsp-certificate-chain/m-p/5367832#M599729 <P>Hi,</P> <P>&nbsp; &nbsp;&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/347992">@craiglebutt</a>&nbsp;Can you confirm that&nbsp;<STRONG>OCSP Client Profile&nbsp;</STRONG>and&nbsp;<STRONG>Certificate Status Validation&nbsp;</STRONG>steps have been properly configured? Use following document as a guide.</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; Within same document, you'll find instructions on how to enable runtime-aaa debugging and get the outputs from<STRONG>&nbsp;prrt-server.log</STRONG>, as well as perform packet capture. Post the logs and packet capture, this would help to identify the root cause. Ensure to enable debug logging for a limited time windows, as it has impact on ISE performance:</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/222150-configure-eap-tls-authentication-with-oc.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/222150-configure-eap-tls-authentication-with-oc.html</A></P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html</A></P> <P>Thanks,</P> <P>Cristian.</P> Thu, 05 Feb 2026 10:11:34 GMT https://community.cisco.com/t5/network-access-control/ocsp-certificate-chain/m-p/5367832#M599729 Cristian Matei 2026-02-05T10:11:34Z