Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lkanakala
Staff
Staff

Created on ‎04-14-2020 12:47 AM Edited on ‎11-21-2025 05:58 AM By Community Manager

Article Id 198293

Technical Tip: How to enable OCSP and OCSP responder errors

Description

 

This article describes an OCSP introduction and configuration in FortiOS.

 

OCSP (Online Certificate Status Protocol) Overview :

OCSP is used to check the revocation status of a digital certificate in real-time. Unlike CRL (Certificate Revocation List), OCSP reduces the overhead by querying the certificate’s status only when needed. FortiGate can use OCSP to validate certificates presented during SSL inspection or VPN connections.


Why is OCSP introduced:

[1] OCSP enables applications to determine the revocation status of digital certificates instead of (or as a supplement to) checking a periodic CRL. OCSP client issues a status request to an OCSP responder and suspends acceptance of certificates in question until the responder responds.


Certificate Revocation Lists are cached lists that contain the validity of certificates. There can be a change in the validity of the certificate; however, the cached CRL would not have that information. OCSP avoids that problem by sending on-demand requests to an OCSP server to confirm a certificate’s validity.

Note: There are pros and cons in using OCSP instead of CRL, which need to be weighed before enabling OCSP.

OCSP responses (Revocation status of a certificate):
Good: no certificate with the requested certificate serial number is currently within its validity interval and has been revoked.
Revoked: the certificate has been revoked, either temporarily (the revocation reason is certificateHold) or permanently.
Unknown: the responder does not know about the certificate being requested, usually because the request indicates an unrecognized issuer that is not served by this responder.

 

Scope

 

FortiGate.

Solution

 

How to enable OCSP in FortiOS.

[2] FortiOS v6.2, v6.4.

 

config vpn certificate setting
    set ocsp-status enable
    set ocsp-option {certificate | server}
end

 

[3] FortiOS v6.0.

 

config vpn certificate setting
    set ocsp-status enable
    set ssl-ocsp-status enable
    set ssl-ocsp-option {certificate | server} 
end

 

Certificate: use the URL from the certificate.
Server: use URL from the configured OCSP server.

The client traffic that requires OCSP validation is expected to have SSL deep inspection enabled on the firewall policy.

Verifying the behavior of OCSP in FortiOS:

Debugs.

 

diagnose debug app fnbamd -1
Debug messages will be on for 30 minutes.
diagnose debug enable
#
[2761] handle_req-Rcvd auth_cert req id=663797170, len=1050
[1213] __fnbamd_load_certs_from_req-2 cert(s) in req.
[1241] __fnbamd_build_cert_chain-2 cert(s) after re-org.
[3191] fnbamd_ca_chain_issuer_info-check local CA cache
[3243] fnbamd_ca_chain_build-check local CA cache
[1249] __fnbamd_build_cert_chain-3 cert(s) after local cache search.
[1250] __fnbamd_build_cert_chain-Chain is complete.
[817] __fnbamd_cert_verify-Following cert chain depth 0
[817] __fnbamd_cert_verify-Following cert chain depth 1
[886] __fnbamd_cert_verify-Trusted CA found: DigiCert_Global_Root_CA
[817] __fnbamd_cert_verify-Following cert chain depth 2
[1748] cert_check_group_list-checking group type 6 group name ''
[1881] fnbamd_auth_cert_check_status-res=4
[1851] fnbamd_cert_ocsp_init-Get OCSP setting from cert
[1822] get_cert_ocsp_responder-cert subject is C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = revoked.badssl.com
[1826] get_cert_ocsp_responder-cert issuer subject is C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
[333] fnbamd_ocsp_start-Created OCSP request
[168] ocsp_connect-Try url 1: host=ocsp.digicert.com port=80(http) path=/
[491] _fnbamd_ocsp_get_rsp-tcp connected
[522] _fnbamd_ocsp_get_rsp-Sent OCSP request
[1832] auth_cert_ocsp_result-ocsp result is 4, (0: http://ocsp.digicert.com)
[536] _fnbamd_ocsp_get_rsp-recv returned: 803
[1832] auth_cert_ocsp_result-ocsp result is 4, (0: http://ocsp.digicert.com)
[536] _fnbamd_ocsp_get_rsp-recv returned: 0
[595] _fnbamd_ocsp_get_rsp-Received OCSP response
warning: no nonce in OCSP response
OCSP status: revoked, reason=-1()

[644] _fnbamd_ocsp_get_rsp-Cert status REVOKED.
[1832] auth_cert_ocsp_result-ocsp result is 1, (0: http://ocsp.digicert.com)
[1674] auth_cert_success-Matched user name '', matched group name ''
[181] fnbamd_comm_send_result-Sending result 1 (error 13, nid 672) for req 663797170

 

Refer to the image below: the website 'revoked.badssl.com' uses a DigiCert certificate, and FortiGate sends an OCSP request to 'http://ocsp.digicert.com' to know the certificate’s revocation status.


As the status returned is 'REVOKED', FortiGate presents 'Fortinet Untrusted CA' to the client.

 
Refer to the below image: 'http://ocsp.digicert.com', FortiGate fetches this URI from the Certificate’s Extension field, 'Certificate Authority Information Access'.
  

(In the above example, the https://www.ssl.com website is accessed without any SSL DPI enabled for displaying the original server certificate).
 
OCSP responder error and FortiGate debugs.
 
Unauthorized errors.
The response 'unauthorized' is returned in cases where the client is not authorized to make queries to this server.
 
In FortiGate, it will display the following debugs:
 
2023-02-09 09:39:50 [282] fnbamd_verify_ocsp_response-OCSP responder error: unauthorized (code 6)
2023-02-09 09:39:50 [251] __cert_ocsp_resp_verify-verify_ocsp_response returns 5 -1
 
In this case, the administration needs to verify the OCSP server configuration and allow connections from the appropriate clients.
 
Other OCSP responder errors:
malformedRequest: Issue related to a mismatch with OCSP server syntax.
internalError: indicates that the OCSP responder reached an inconsistent internal state. The query should be retried, potentially with another responder.
tryLater: indicates that the OCSP server is currently busy and unable to respond.
sigRequired: OCSP server requires the client to sign the request to construct a response.

Important options.
 
config vpn certificate setting
    set strict-ocsp-check {enable | disable}
end
 
Enable or disable (by default) strict mode OCSP checking.
If strict checking is not enabled and an OCSP server responds with a cert status unknown, the certificate can be used, but a warning log message is written.
If strict checking is enabled, then all authentication actions that use this certificate fail in addition to the warning message being written.

References:
[1] Section 2, RFC 6960 - Online Certificate Status Protocol - OCSP.
[2] FortiOS 6.2, CLI reference -  6.2.3 - config vpn certificate setting.
[3] FortiOS 6.0, CLI reference - 6.0 - config vpn certificate setting.
[4] FortiOS 6.4, CLI reference - 6.4 - config vpn certificate setting.
[5] FortiOS 7.4, CLI reference - 7.4 - config vpn certificate setting.
[6] FortiOS 7.6, CLI reference - 7.6 - config vpn certificate setting.

Further reading.
Digicert Knowledge Base: OCSP, CRL and Revoked SSL Certificates.
RFC5280: CRL Validation.

 

Related documents:

Technical Tip: FortiGate strict CRL check
What Is Online Certificate Status Protocol (OCSP)? 

24320
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.