CRL and OCSP for trusted certificates are not checked.

ThomasW
ThomasW Posts: 6
First Comment Second Anniversary
edited April 2021 in Security
Hi  I've added root CA as trusted certificate then configured crl and ocsp server but zyxel does not validate client certificates that are signed by root CA against crl or ocsp.
How should I setup certificate authentication? 

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,286  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @ThomasW

    Can you provide your screenshot of configuration and more detailed test procedure to us ? (p.s. if there are screenshots would be better.)

    If your ATP device does not validate client certificates that are signed by root CA, is there any error message appears?

    Thanks


    Untitled Image

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • ThomasW
    ThomasW Posts: 6
    First Comment Second Anniversary
    Hi @Zyxel_Jeff

    Below is screenshot of  Object -> Certificate -> "Trusted certifications" screen.
    1. I've imported here the Root CA certificate of my private authority center and checked following option:
              "Enable X.509v3 CRL Distribution Points and OCSP checking." 



    2. I've checked  "Authenticate Client Certificates" in System -> WWW


      


     3.  I've created a client certificate  and signed it by the same Root CA. Certificate is added to "Personal"  directory in windows certificate          store. 

     4.  I've tested if it is possible to login to ATP. (Pointed web browser to external IP address of ATP device)   connection is established and it is possible to login to ATP.

    5. I've revoked client certificate in Root CA and published CRL

    6. I've tested if access to ATP is revoked. Unfortunately, the client with revoked certificate still can login to ATP device using web browser. 



  • ThomasW
    ThomasW Posts: 6
    First Comment Second Anniversary
    Hi @Zyxel_Jeff

    Below is screenshot of  Object -> Certificate -> "Trusted certifications" screen.
    1. I've imported here the Root CA certificate of my private authority center and checked following option:
              "Enable X.509v3 CRL Distribution Points and OCSP checking." 



    2. I've checked  "Authenticate Client Certificates" in System -> WWW


      


     3.  I've created a client certificate  and signed it by the same Root CA. Certificate is added to "Personal"  directory in windows certificate          store. 

     4.  I've tested if it is possible to login to ATP. (Pointed web browser to external IP address of ATP device)   connection is established and it is possible to login to ATP.

    5. I've revoked client certificate in Root CA and published CRL

    6. I've tested if access to ATP is revoked. Unfortunately, the client with revoked certificate still can login to ATP device using web browser. 


    Thansk
  • ThomasW
    ThomasW Posts: 6
    First Comment Second Anniversary
    Hi is it any update on this? I still cannot use CRL list in atp device, any revoked certificate is accepted by device and users with revoked certificate can access device.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,286  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
     
    Could you provide the device config file to us via private message for further check? 
    We would like to check the part of certificate authentication.
    Thanks. 


    Untitled Image

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)