IPA: OCSP check on Cisco router is failing with error "PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed"

Solution Verified - Updated -

Issue

  • When Cisco router was connecting to IPA server then OCSP validation was working fine.
  • When Cisco router was pointing to IPA replica then OCSP check was failing with below error.
003380: Apr  8 09:41:47.174 CEST: CRYPTO_PKI: (A01A5)chain cert was anchored to trustpoint CA2, and chain validation result was: CRYPTO_INVALID_CERT
003381: Apr  8 09:41:47.175 CEST: CRYPTO_PKI: destroying ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 420, ref count 1
003382: Apr  8 09:41:47.175 CEST: CRYPTO_PKI: ca_req_context released
003383: Apr  8 09:41:47.175 CEST: PKI_REVO: Revocation process - wait fo

Environment

  • Red Hat Enterprise Linux 7
  • IPA 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content