CRL and OCSP for trusted certificates are not checked.
All Replies
-
Hi @ThomasW
Can you provide your screenshot of configuration and more detailed test procedure to us ? (p.s. if there are screenshots would be better.)
If your ATP device does not validate client certificates that are signed by root CA, is there any error message appears?
Thanks
0 -
Hi @Zyxel_Jeff
Below is screenshot of Object -> Certificate -> "Trusted certifications" screen.- I've imported here the Root CA certificate of my private authority center and checked following option:
2. I've checked "Authenticate Client Certificates" in System -> WWW
3. I've created a client certificate and signed it by the same Root CA. Certificate is added to "Personal" directory in windows certificate store.
4. I've tested if it is possible to login to ATP. (Pointed web browser to external IP address of ATP device) connection is established and it is possible to login to ATP.
5. I've revoked client certificate in Root CA and published CRL
6. I've tested if access to ATP is revoked. Unfortunately, the client with revoked certificate still can login to ATP device using web browser.
0 -
Hi @Zyxel_Jeff
Below is screenshot of Object -> Certificate -> "Trusted certifications" screen.- I've imported here the Root CA certificate of my private authority center and checked following option:
2. I've checked "Authenticate Client Certificates" in System -> WWW
3. I've created a client certificate and signed it by the same Root CA. Certificate is added to "Personal" directory in windows certificate store.
4. I've tested if it is possible to login to ATP. (Pointed web browser to external IP address of ATP device) connection is established and it is possible to login to ATP.
5. I've revoked client certificate in Root CA and published CRL
6. I've tested if access to ATP is revoked. Unfortunately, the client with revoked certificate still can login to ATP device using web browser.
Thansk0 -
Hi is it any update on this? I still cannot use CRL list in atp device, any revoked certificate is accepted by device and users with revoked certificate can access device.0
-
Hi @ThomasWCould you provide the device config file to us via private message for further check?We would like to check the part of certificate authentication.
Thanks.0
Categories
- All Categories
- 347 Beta Program
- 2.1K Nebula
- 115 Nebula Ideas
- 77 Nebula Status and Incidents
- 5K Security
- 44 USG FLEX H Series
- 246 Security Ideas
- 1.2K Switch
- 64 Switch Ideas
- 900 WirelessLAN
- 33 WLAN Ideas
- 5.8K Consumer Product
- 204 Service & License
- 326 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.8K FAQ
- 832 Nebula FAQ
- 402 Security FAQ
- 219 Switch FAQ
- 190 WirelessLAN FAQ
- 45 Consumer Product FAQ
- 136 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 71 About Community
- 61 Security Highlight