FortiGate OCSP Integration
Problem
Especially in the VPN area, certificates are increasingly used for authentication. But what happens if such a certificate is revoked? How does FortiGate ensure that such a certificate can no longer be used?
Solution
With OCSP it is possible to check live whether a certificate is still valid or not.
For this purpose, when using the certificate, the certification authority is queried via an API whether the certificate used is still valid or has been withdrawn for some reason.
The certificate status at the certification authority is checked and not the expiration date or similar.
CRL vs. OSCP
CRL lists are cached on the system. OCSP is queried live via the certificate authority and thus receives a real-time response. Furthermore, OCSP does not need to check the complete CRL list, but directly requests the required certificate.
What can be a disadvantage for websites with a lot of traffic (a lot of traffic at the OCSP server) is a big advantage for the SSL-VPN security.
Configuration
The configuration between FortiGate and FortiAuthenticator is as follows:
Windows CA
Mostly a Windows CA is used as a certificate authority for machine or user certificates.
Here is a very good tutorial on how to configure the Windows server as an OCSP server.
FortiAuthenticator
OCSP must be enabled on the corresponding interface:
FortiGate
config vpn certificate ocsp-server
edit "FAC_ocsp"
set url "http://172.16.51.12:2560"
set cert "FAC_CA_Cert"
next
end
config vpn certificate settings
set ocsp-status enable
set ocsp-option server
set ocsp-default-server FAC_ocsp
sat strict-ocsp-check disable
end
- url: URL to the OCSP Server Endpoint (FortiAuthenticator is Port 2560)
- cert: Select which CA Cert the Server use
- ocsp-status: enable the OCSP check in general
- ocsp-option:
- server = Use the Server defined under "ocsp-server"
- certificate = Use the Server defined in the certificate
- oscp-default-server: select the default pre-defined "ocsp-server"
- strict-ocsp-check:
- disable (default): If the OCSP check is not possible the certificate is valid
- enable: If the OCSP check is not possible the certificate is invalid
Verify
diagnose debug application fnbamd -1
Debug messages will be on for 30 minutes.
[2395] handle_req-Rcvd auth_cert req id=1458978393, len=1105, opt=0
[915] __cert_auth_ctx_init-req_id=1458978393, opt=0
[103] __cert_chg_st- 'Init'
[139] fnbamd_cert_load_certs_from_req-1 cert(s) in req.
[99] __cert_chg_st- 'Init' -> 'Chain-Build'
[712] __cert_build_chain-req_id=1458978393
[199] fnbamd_chain_build-Chain discovery, opt 0x17, cur total 1
[215] fnbamd_chain_build-Following depth 0
[276] fnbamd_chain_build-Extend chain by system trust store. (good: 'G_CA_Cert_1')
[215] fnbamd_chain_build-Following depth 1
[229] fnbamd_chain_build-Self-sign detected.
[99] __cert_chg_st- 'Chain-Build' -> 'Validation'
[771] __cert_verify-req_id=1458978393
[772] __cert_verify-Chain is complete.
[427] fnbamd_cert_verify-Chain number:2
[441] fnbamd_cert_verify-Following cert chain depth 0
[498] fnbamd_cert_verify-Trusted issuer found: G_CA_Cert_1
[441] fnbamd_cert_verify-Following cert chain depth 1
[689] fnbamd_cert_check_group_list-checking group with name 'FAC-VPN'
[503] __check_add_peer-check 'radius_HQ-FAC'
[505] __check_add_peer-'radius_HQ-FAC' is not a peer user.
[503] __check_add_peer-check 'HQ-FAC'
[383] peer_subject_cn_check-Cert subject 'CN = Andy'
[419] peer_subject_cn_check-Subject is good.
[139] fnbamd_ocsp_ctx_push-Get ocsp setting from 'HQ-FAC_ocsp', vfid 2
[511] __check_add_peer-'HQ-FAC' check ret:pending
[742] fnbamd_cert_check_group_list-OCSP servers
[746] fnbamd_cert_check_group_list- 'HQ-FAC_ocsp', ref=2
[751] fnbamd_cert_check_group_list-Peer users
[757] fnbamd_cert_check_group_list- 'HQ-FAC' ('N/A','HQ-FAC_ocsp')
[808] __cert_verify_do_next-req_id=1458978393
[99] __cert_chg_st- 'Validation' -> 'Status-Query'
[641] __cert_status_query-req_id=1458978393
[443] __cert_ldap_query-req_id=1458978393
[564] __cert_ocsp_query-req_id=1458978393
[587] __cert_ocsp_query-Created OCSP request
[591] __cert_ocsp_query-OCSP query, idx 0
[419] fnbamd_http_push_url-http://172.16.51.12:2560
[337] __fnbamd_http_get_next_host-Parsing 'http://172.16.51.12:2560'
[343] __fnbamd_http_get_next_host-host=172.16.51.12 port=2560(http) path=/
[834] __fnbamd_http_dns_cb-DNS returned 172.16.51.12 (172.16.51.12), cur total:1
[839] __fnbamd_http_dns_cb-Connection starts (172.16.51.12)
[809] __fnbamd_http_start_conn-Connecting 172.16.51.12 (172.16.51.12)
[524] __http_conn_timer_start-172.16.51.12 (172.16.51.12)
[887] __fnbamd_cert_auth_run-Job pending, exit the state machine, req_id=1458978393
[1717] create_auth_cert_session-fnbamd_cert_auth_init returns 4, id=1458978393
[726] __connect-tcps_connect(172.16.51.12) is established.
[524] __http_conn_timer_start-172.16.51.12 (172.16.51.12)
[449] __http_make_request-HTTP 1.1 POST
[562] __http_send-Req total 226
[578] __http_send-Sent 226 bytes: pos=0, len=226
[583] __http_send-Sent all data: total=226
[623] __http_recv-Rcvd 1802 bytes: len=1802
[78] __http_code_check-good response, code=200
[155] __fnbamd_http_check_header-content-length: 1618
[644] __http_recv-Rcvd all data: total=1802, header=184, content-length=1618
[464] __http_stop-(172.16.51.12)
[472] __http_stop-Disconnectting 172.16.51.12 (172.16.51.12)
[499] __ocsp_query_cb-req_id=1458978393
[519] __ocsp_query_cb-Received OCSP rsp
[164] __cert_ocsp_resp_verify-Loaded OCSP server cert '(null)'
[340] fnbamd_verify_ocsp_response-Cert status: REVOKED, reason=0(unspecified)
[186] __cert_ocsp_resp_verify-verify_ocsp_response returns 1 -1
[530] __ocsp_query_cb-OCSP res=0, status=1, server='HQ-FAC_ocsp', req_id=1458978393
[201] __cert_resume-req_id=1458978393
[99] __cert_chg_st- 'Status-Query' -> 'Done'
Comments
Post a Comment