Then, when browsing certain HTTPS websites, the user gets the following error on the exception page:
OCSP Error On Server Certificate (ssl_server_cert_ocsp_check_failed) OCSP check for server certificate failed due to error: "ocsp-signing-purpose-error"
On the CFSSL Debug (https://ProxySGip:8082/cfssl/debug), you will see the following error:
1315.756 SSLW 2FB0B4AC (EC001E1): OCSP responder 'TestOCSP': OCSP signing purpose error(root ca not trusted)
... or another similar error.
The Configuration and Management Guide document (CMG), has this to say:
Ignore OCSP signing purpose check: This setting ignores errors whichare related to the OCSP signing delegation and applies only to ScenariosB and C. (See"Basic OCSP Setup Scenarios" section.) The errorsmightoccur in one of two ways:
·Scenario B- The response signer certificate is not delegated for the OCSP signing. The event log records this error as missing ocsp signing usage.
·Scenario C- The root CA does not have the trust setting enabled for the OCSP Signing. The event log records this error as root ca not trusted.
So, in this error case, the proxy detected that the CA certificate of the server does not have the trust setting enabled for the OCSP signing.
The customer needs to go to Configuration > SSL > OCSP > Edit the OCSP Responder, and check the "Ignore OCSP signing purpose check" option.
Imported Document ID: 000014421
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.