ZW ospc check certificate

alexey
alexey Posts: 188  Master Member
First Anniversary 10 Comments Friend Collector
edited April 2021 in Security

Hi.

I try to configure certificate check by ocsp from local CA in ZWs.

I imported root CA cert, revoked cert, configure ocsp server.

In zw revoked certificate is displayed like valid.

Validation Result=successful.

By windows certutil with -url option this certificate looks revoked via ocsp.

What steps are right for configurating cert checks in ZW?

All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,280  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @alexey,

    In CONFIGURATION > Object > Certificate > Trusted Certificates > Select Certificate, you need to enable Enable X.509v3 CRL Distribution Points and OCSP checking, enable OCSP Server and enter URL, ID and password.

    Then the certificate will be sent to OCSP server for checking.

    Is the certificate signed by valid third party or Is the certificate created in local CA on ZyWALL?

    Can you share the screen shot of test result on Windows certutil with us?

  • alexey
    alexey Posts: 188  Master Member
    First Anniversary 10 Comments Friend Collector

    Hi @Zyxel_Emily .

    I enable OCSP server

    I don't enter id and password. OCSP is hosted on local CA on IIS, i enable anonymous enter.

    In id i can't enter domain user, user@domain or domain\user id don't save.

    OCSP check from certutil

    It is in revoked status.

    Why ZW & Windows show different cert serial number?

    In windows SN ‎7b 00 00 01 d5 70 9f 11 39 43 5f 15 42 00 03 00 00 01 d5, in ZW 2742991661856738105545648351641436845332496853. SHA1 fingerprint is same.

    This certificate from Windows Enterprise CA. Root CA is placed to trusted certificates in ZW.

  • Hi I have the same problem with atp device. I've added root CA as trusted certificate then configured crl and ocsp server but zyxel does not validate client certificates that are signed by root CA against crl or ocsp.
    How should I setup certificate authentication? 
  • Hi any updates on this? 
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,431  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @ThomasW,
    We would like to conduct a lab test, can you send me device configuration file to me for further checking?

Security Highlight