https://community.cisco.com/t5/network-security/asa-ocsp/m-p/3076148#M908101 <P>Hello!<BR />I have successfully operating OpenSSL OCSP responder with this hierarchy: <STRONG>RootCA &gt; OCSP responder</STRONG> (signed by RootCA).<BR />I have deployed a trustpoint (named <STRONG>RootCA</STRONG>) into the ASA with RootCA public key. So I expect that ASA will be trust to OCSP, because it's trusts to RootCA which signed OCSP sign key. But seems it is not. Due to VPN client connection I have</P> <P><BR /><EM>CRYPTO_PKI: Blocking chain callback called for OCSP response &lt;...&gt; status: 2</EM></P> <P><BR />debug message, which indicating a problem with certificate signer, according to BRKSEC-3053<BR /><A href="https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKSEC-3053.pdf" target="_blank">https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKSEC-3053.pdf</A><BR /><BR />So, I did import the OCSP key into separate trustpoint (named <STRONG>OCSP</STRONG>) and did create a certificate map with overriding OCSP rule.&nbsp; The revocation check hierarchy now looks like this: <BR /><STRONG>VPN client &gt; RootCA &gt; certificate map &gt; OCSP responder.</STRONG><BR />With that scheme, the OCSP responces are trusted and revocation check completed successfully.<BR /><BR />My questions are:<BR /><BR />1. Do we really need a separate trustpoint for OCSP signing key ?<BR />2. Or this is expected behavior with OCSP responder implementation in OpenSSL ?<BR />3. Or maybe I have missed something important ?<BR /><BR />Thank you!</P> Fri, 21 Feb 2020 14:03:53 GMT sharlino 2020-02-21T14:03:53Z https://community.cisco.com/t5/network-security/asa-ocsp/m-p/3076148#M908101 <P>Hello!<BR />I have successfully operating OpenSSL OCSP responder with this hierarchy: <STRONG>RootCA &gt; OCSP responder</STRONG> (signed by RootCA).<BR />I have deployed a trustpoint (named <STRONG>RootCA</STRONG>) into the ASA with RootCA public key. So I expect that ASA will be trust to OCSP, because it's trusts to RootCA which signed OCSP sign key. But seems it is not. Due to VPN client connection I have</P> <P><BR /><EM>CRYPTO_PKI: Blocking chain callback called for OCSP response &lt;...&gt; status: 2</EM></P> <P><BR />debug message, which indicating a problem with certificate signer, according to BRKSEC-3053<BR /><A href="https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKSEC-3053.pdf" target="_blank">https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKSEC-3053.pdf</A><BR /><BR />So, I did import the OCSP key into separate trustpoint (named <STRONG>OCSP</STRONG>) and did create a certificate map with overriding OCSP rule.&nbsp; The revocation check hierarchy now looks like this: <BR /><STRONG>VPN client &gt; RootCA &gt; certificate map &gt; OCSP responder.</STRONG><BR />With that scheme, the OCSP responces are trusted and revocation check completed successfully.<BR /><BR />My questions are:<BR /><BR />1. Do we really need a separate trustpoint for OCSP signing key ?<BR />2. Or this is expected behavior with OCSP responder implementation in OpenSSL ?<BR />3. Or maybe I have missed something important ?<BR /><BR />Thank you!</P> Fri, 21 Feb 2020 14:03:53 GMT https://community.cisco.com/t5/network-security/asa-ocsp/m-p/3076148#M908101 sharlino 2020-02-21T14:03:53Z