CRL and OCSP for trusted certificates are not checked.

ThomasW
ThomasW Posts: 6
First Anniversary First Comment
edited April 2021 in Security
Hi  I've added root CA as trusted certificate then configured crl and ocsp server but zyxel does not validate client certificates that are signed by root CA against crl or ocsp.
How should I setup certificate authentication? 

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,039  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ThomasW

    Can you provide your screenshot of configuration and more detailed test procedure to us ? (p.s. if there are screenshots would be better.)

    If your ATP device does not validate client certificates that are signed by root CA, is there any error message appears?

    Thanks
  • Hi @Zyxel_Jeff

    Below is screenshot of  Object -> Certificate -> "Trusted certifications" screen.
    1. I've imported here the Root CA certificate of my private authority center and checked following option:
              "Enable X.509v3 CRL Distribution Points and OCSP checking." 



    2. I've checked  "Authenticate Client Certificates" in System -> WWW


      


     3.  I've created a client certificate  and signed it by the same Root CA. Certificate is added to "Personal"  directory in windows certificate          store. 

     4.  I've tested if it is possible to login to ATP. (Pointed web browser to external IP address of ATP device)   connection is established and it is possible to login to ATP.

    5. I've revoked client certificate in Root CA and published CRL

    6. I've tested if access to ATP is revoked. Unfortunately, the client with revoked certificate still can login to ATP device using web browser. 



  • ThomasW
    ThomasW Posts: 6
    First Anniversary First Comment
    Hi @Zyxel_Jeff

    Below is screenshot of  Object -> Certificate -> "Trusted certifications" screen.
    1. I've imported here the Root CA certificate of my private authority center and checked following option:
              "Enable X.509v3 CRL Distribution Points and OCSP checking." 



    2. I've checked  "Authenticate Client Certificates" in System -> WWW


      


     3.  I've created a client certificate  and signed it by the same Root CA. Certificate is added to "Personal"  directory in windows certificate          store. 

     4.  I've tested if it is possible to login to ATP. (Pointed web browser to external IP address of ATP device)   connection is established and it is possible to login to ATP.

    5. I've revoked client certificate in Root CA and published CRL

    6. I've tested if access to ATP is revoked. Unfortunately, the client with revoked certificate still can login to ATP device using web browser. 


    Thansk
  • Hi is it any update on this? I still cannot use CRL list in atp device, any revoked certificate is accepted by device and users with revoked certificate can access device.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,039  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
     
    Could you provide the device config file to us via private message for further check? 
    We would like to check the part of certificate authentication.
    Thanks. 

Security Highlight