Note
The certificate index mentioned below follows the order in chain like server certificate has index 1, issuer of server certificate has index 2 and issuer of the issuer has index 3 and so on.| Operation | Log Details |
|---|---|
| Certificate contains OCSP URI, but device encountered error in parsing | Jan 9 22:51:51:E:Failed to parse responder IP=<junk data when parsing> URL from cert |
| OCSP Responder is not reachable | Jan 9 22:51:51:E:OCSP: Responder was not reachable due to error status |
| Certificate status is unknown | Jan 9 22:51:51:E:OCSP: Server/Intermediate Certificate of Index 2 in the chain is unknown |
| Certificate status if revoked | Jan 9 22:51:51:E:OCSP: Server/Intermediate Certificate of Index 1 in the chain is revoked |
| OCSP responder is reachable but returns failure | Jan 9 22:51:51:E:OCSP: Http error 201 returned from responder |
| OCSP responder returned invalid response status |
Jan 9 22:51:51:E:OCSP:The following are the various response status codes. This audit log will be filed for all statuses. except 0. successful (0) - Response has valid confirmations
malformedRequest (1) - Illegal confirmation request
internalError (2) - Internal error in issuer
tryLater (3) - Try again later
(4) - not used
sigRequired (5) - Must sign the request
unauthorized (6) - Request
unauthorized
Eg OCSP: Response status 1 is invalid
|
| OCSP responder returned response type in the packet not matching basic | Jan 9 22:51:51:E:OCSP:Response type is not OCSP basic |
| OCSP responder returned version not matching 0 | Jan 9 22:51:51:E:OCSP: Response version is invalid |
| OCSP responder returned repsonder tag not matching 1 or 2 | Jan 9 22:51:51:E:OCSP: Responder id tag 0 is invalid |
| OCSP responder sent a certificate whose thisUpdate time has expired | Jan 9 22:51:51:E:OCSP: Response has expired |
| OCSP responder sent a response where the signature algorithm is not SHA256 | Jan 9 22:51:51:E:OCSP: Response does not have responder certificate or data mismatch for responder tag <responder tag> |
| OCSP responder sent responder id tag as 1, but cert DN and responder data are not same | Jan 9 22:51:51:E:OCSP:Response does not have responder certificate or data mismatch for responder tag <responder tag> |
| OCSP responder sent responder id tag as 2, but cert public key hash and responder data don‘t match | Jan 9 22:51:51:E:OCSP:Response does not have responder certificate or data mismatch for responder tag <responder tag> |
| OCSP responder sent a certificate whose ASN parsing failed on the switch | Jan 9 22:51:51:E:OCSP: Responder certificate is invalid |
| OCSP responder sent a certificate without EKU field | Jan 9 22:51:51:E:OCSP: Responder certificate EKU field is NULL |
| OCSP responder sent a certificate without EKU field assigned to signing purpose | Jan 9 22:51:51:E:OCSP: Responder certificate EKU field is not set to OCSP signing purpose |
| OCSP responder sent a response without responder certificate or data mismatch | Jan 9 22:51:51:E:OCSP: Response does not have responder certificate or data mismatch for responder tag <responder tag> |