Description |
This article elaborates on troubleshooting the scenario in which OCSP validation fails with the below recorded in 'fnbamd' debugs :
# 680] _fnbamd_ocsp_get_rsp-Received OCSP response
|
Scope | All FortiOS versions. |
Solution |
The error indicates that the response from the OCSP server can not be validated by FortiGate. This is generally seen if the response is not signed by the certificate you have configured under 'vpn certificate ocsp-server' :
It is common for OCSP servers to use a dedicated key pair and not use the key pair of the CA. In such cases, its best to import the actual OCSP certificate itself on FortiGate and set it as the certificate under OCSP server settings.
To check further, take a packet capture for the OCSP server IP and verify the certificate included in the 'OCSP response' packet.
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.