OCSP - response signature verification failed

Jagermeister · ‎01-17-2025

Hi all,

I have configured my ISE setup to validate certificates against a external OCSP responder but I do not get it to work.

The 802.1X certificates that my supplicants are using are issued by the external CA and my ISE setup has this certificate chain imported as trusted certificates. I've configured a OCSP profile that is using the OCSP URLs that are specified in the AIA of the cert. As i wish, the validation of the response certificate is enabled.

Now, in my live log i'm seeing the following:


0	Take OCSP servers list from AIA extension of client certificate - certificate for <cert name>
12989	Sent an OCSP request to the next OCSP server in the list - External OCSP Server	0
12567	OCSP server response signature verification failed - certificate for <cert name>	261
12552	Conversation with OCSP server ended with failure - certificate for <cert name>	0

Looking into the prrt-server.log isn't revealing much either;

,0x7f787ae98700,NIL-CONTEXT,Crypto::Result=0, Crypto.OcspClient::performRequest - Response signature verification failed, result 0, error error:27069076:OCSP routines:OCSP_b

I've tried to validate the same cert on another device against the external OCSP responder and then the response is accepted, so it seems that only my ISE setup is not able to validate the response signature for some reason. Decided to make a TCP dump on the PSN and in OCSP response it says the cert status is good.

How can I find more detailed information about why ISE thinks the response signature is invalid?

MHM Cisco World · ‎01-17-2025

how you config these options?

MHM

Jagermeister · ‎01-17-2025

Nothing special, I try to validate it against my OCSP profile that is looking at the OCSP URL from the AIA in the certificate. Also tried to set the server manually but doesn't make a difference.

OCSP profile:

MHM Cisco World · ‎01-18-2025

disable Nonce only

that it

MHM

Aref Alsouqi · ‎01-18-2025

Could you please try to unckeck the "Validate Response Signature" tick box and see if that makes any difference? from the logs you shared it does seem that ISE can't validate the OCSP response from the server. I know you mentioned that you already imported the OCSP certificates chain, but I would double check this and also I would make sure that those certs are not expired. Alternatively it could be something else in the OCSP response that ISE can't validate for some reason. What version of ISE are you running?

Marcelo Morais · ‎01-19-2025

Hi @Jagermeister

in ISE, the Components that are responsible to add info to the prrt-server.log file are:

runtime-AAA
runtime-config
runtime-GRPC
runtime-logging

The default Log Level of ALL these Components are WARN.

Try to increase the Log Level to get more info about your issue:

In Operations > Troubleshoot > Debug Wizard > Debug Log Configuration > select the Node :

Hope this helps !!!

Marcelo Morais · ‎01-19-2025

Hi @Jagermeister ,

also take a look at:

CSCwj32472 Internal OCSP responder could not work with default configuration

CSCwi51182 ISE as OCSP client Needs More Tolerable for Current Time Differences from those of OCSP responders

Hope this helps !!!

JPavonM · ‎02-04-2025

As @Aref Alsouqi said, try to disable "Validate Response Signature" as that worked for me. In my case, Sectigo enterprise OCSP repsponder does not include the cert in the payload and that's why ISE keeps returning "Unknown", but if you check the cert by using a Linux box and command line, you will see the real response from the OCSP responder.

It has non sense why Cisco ISE keeps enabling that by default when including the Certificate in the payload is an optional feature in the RFC.