OCSP/CRL affect on JDS

Jason
Contributor II

Trying to gather data if anyone currently has OCSP/CRL settings set to "Require if Certificate Indicates" like the image below:

7a0d913dad824f09894108018af8dee6

If so, are you seeing any trust settings with the JDS? What I'm seeing is if I configure the settings above, then when I open Casper Admin, i get a certificate prompt while mounting the JDS that "The certificate cannot be verified (it specifies an untrusted CRL)". I can either manually trust it and I don't get prompted again, or I can turn off OCSP/CRL and the issue goes away as well. The JSS Built-in Certificate Authority and JSS Built-in Signing Certificate are both in place in the System keychain and the system is enrolled properly.

I do have a case open with JAMF currently, but they have 0 cases related to OCSP settings so are doing additional research.

2 REPLIES 2

tcam
Contributor

are you using a self signed certificate Or is your certificate signed by a certificate authority like verisign?

Jason
Contributor II

Tomcat is using a 3rd party cert, but the JDS is using the built-in JSS CA. Some more oddness is that 2 of my colleagues with OCSP/CRL settings matching mine are NOT having any issues. They still see the "untrusted CRL" warning if they look at the JSS cert in their system keychain, but don't get any trust prompts when using Casper Admin or other functionality. They also aren't manually touching any of the trust settings to directly trust the certs. They are on Mavericks and I'm on Yosemite however.