ZW ospc check certificate

alexey

Hi.

I try to configure certificate check by ocsp from local CA in ZWs.

I imported root CA cert, revoked cert, configure ocsp server.

In zw revoked certificate is displayed like valid.

Validation Result=successful.

By windows certutil with -url option this certificate looks revoked via ocsp.

What steps are right for configurating cert checks in ZW?

Zyxel_Emily

Hi @alexey,

In CONFIGURATION > Object > Certificate > Trusted Certificates > Select Certificate, you need to enable Enable X.509v3 CRL Distribution Points and OCSP checking, enable OCSP Server and enter URL, ID and password.

Then the certificate will be sent to OCSP server for checking.

Is the certificate signed by valid third party or Is the certificate created in local CA on ZyWALL?

Can you share the screen shot of test result on Windows certutil with us?

alexey

Hi @Zyxel_Emily .

I enable OCSP server

I don't enter id and password. OCSP is hosted on local CA on IIS, i enable anonymous enter.

In id i can't enter domain user, user@domain or domain\user id don't save.

OCSP check from certutil

It is in revoked status.

Why ZW & Windows show different cert serial number?

In windows SN ‎7b 00 00 01 d5 70 9f 11 39 43 5f 15 42 00 03 00 00 01 d5, in ZW 2742991661856738105545648351641436845332496853. SHA1 fingerprint is same.

This certificate from Windows Enterprise CA. Root CA is placed to trusted certificates in ZW.

ThomasW

Hi I have the same problem with atp device. I've added root CA as trusted certificate then configured crl and ocsp server but zyxel does not validate client certificates that are signed by root CA against crl or ocsp.
How should I setup certificate authentication? 

ThomasW

Hi any updates on this? 

Zyxel_Cooldia

Hi @ThomasW,
We would like to conduct a lab test, can you send me device configuration file to me for further checking?