DynamicID authentication fails due to server certificate validation failure, if the server certificate does not contain a CRL distribution point

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk167177
Technical Level
Product	Mobile Access / SSL VPN, Endpoint Security Client, Endpoint Security VPN
Version	R80.10, R80.20, R80.30, R80.40
Date Created	01-Jun-2020
Last Modified	11-Jan-2021

Symptoms

DynamicID authentication fails due to a server certificate validation failure, if the server certificate does not contain a CRL distribution point.
Following errors are found when running the relevant user mode process debug, for example: In $FWDIR/log/cvpnd.elg in case of having issues with MAB portal using dynamic ID , or in $FWDIR/log/vpnd.elg in case of Remote Access VPN issue using dynamic ID:
- Certificate who has OCSP url only (And no CRL):
  
  cp_verify_certificate: chain level: 0, error: Could not retrieve CRL. OR cp_verify_certificate: Error - certificate #0 has no CRL-DP but has OCSP url. failing... finished with result code (-10) - (servercert: Error - server certificate validation failed!) [AU] dynamic_id_manager_callback(au=e13cece8): DynamicID faliure [CPSC] cpsc_get_msg_by_id: Cache HIT for CPSC_DID_REQUEST_FAILED
- Certificate who has no CRL DP and no OCSP url:
  
  cp_verify_certificate: certificate #%d has no CRL-DP/OCSP url. skipping...

Cause

The system considers the server certificate to be "untrusted", if it does not contain a CRL DP (Certificate Revocation List Distribution Point) and has OCSP only.

The system considers the server certificate to be "trusted", if it does not contain both CRL DP and OCSP url. This issue was fixed, refer "solution" section.

Solution

Note: To view this solution you need to Sign In .