Support Center > Search Results > SecureKnowledge Details
DynamicID authentication fails due to server certificate validation failure, if the server certificate does not contain a CRL distribution point Technical Level
Symptoms
  • DynamicID authentication fails due to a server certificate validation failure, if the server certificate does not contain a CRL distribution point.

  • Following errors are found when running the relevant user mode process debug, for example: In $FWDIR/log/cvpnd.elg in case of having issues with MAB portal using dynamic ID , or in $FWDIR/log/vpnd.elg in case of Remote Access VPN issue using dynamic ID:

    • Certificate who has OCSP url only (And no CRL):

      cp_verify_certificate: chain level: 0, error: Could not retrieve CRL. OR cp_verify_certificate: Error - certificate #0 has no CRL-DP but has OCSP url. failing...
      finished with result code (-10) - (servercert: Error - server certificate validation failed!)
      [AU] dynamic_id_manager_callback(au=e13cece8): DynamicID faliure
      [CPSC] cpsc_get_msg_by_id: Cache HIT for CPSC_DID_REQUEST_FAILED

    • Certificate who has no CRL DP and no OCSP url:

      cp_verify_certificate: certificate #%d has no CRL-DP/OCSP url. skipping...

Cause

The system considers the server certificate to be "untrusted", if it does not contain a CRL DP (Certificate Revocation List Distribution Point) and has OCSP only.

The system considers the server certificate to be "trusted", if it does not contain both CRL DP and OCSP url. This issue was fixed, refer "solution" section.


Solution
Note: To view this solution you need to Sign In .