Technical Tip : OCSP certificate check failing with the error 'OCSP_basic_verify:certificate verify error'

This article elaborates on troubleshooting the scenario in which OCSP validation fails with the below recorded in 'fnbamd' debugs :

# 680] _fnbamd_ocsp_get_rsp-Received OCSP response
[330] fnbamd_verify_ocsp_rsp-Failed OCSP rsp verification (error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag)
[330] fnbamd_verify_ocsp_rsp-Failed OCSP rsp verification (error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error)
[330] fnbamd_verify_ocsp_rsp-Failed OCSP rsp verification (error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error)
[1809] auth_cert_ocsp_result-ocsp result is 5, index is 0

The error indicates that the response from the OCSP server can not be validated by FortiGate. This is generally seen if the response is not signed by the certificate you have configured under 'vpn certificate ocsp-server'  :

# config vpn certificate ocsp-server
edit "test-ocsp"
set url <>
set cert "CA_Cert_1" --->
next
end

It is common for OCSP servers to use a dedicated key pair and not use the key pair of the CA. In such cases, its best to import the actual OCSP certificate itself on FortiGate and set it as the certificate under OCSP server settings.

To check further, take a packet capture for the OCSP server IP and verify the certificate included in the 'OCSP response' packet.