Forum Discussion
barneb01_8208
Feb 24, 2012Nimbostratus
Hi Aaron,
"nmc60.test.com cert" is installed on the client (not f5) and is the cert the f5 is attempting to authenticate via OCSP. The OCSP response is successful but the f5 doesn't like the purpose of the cert. Support had me load the client cert on the f5 and run the following ocsp commands...
openssl verify -purpose sslclient -CAfile PCRT_ALL.crt nmc60.test.com.crt
openssl verify -purpose sslserver -CAfile PCRT_ALL.crt nmc60.test.com.crt
both commands return the same result:
nmc60.test.com.crt: /CN=nmc60.test.com
error 26 at 0 depth lookup:unsupported certificate purpose
OK
We had the admin who provisions the certs modify the purpose and then I ran the openssl command again and got a positive result. Problem now is the OCSP server responds with an "unauthorized" OCSP response with the updated client cert.
The unauthorized response is a different issue, but I'm curious about the following...
What "purpose type" does the f5 expect when verifying the client cert?
Where in the ltm config can I view how the f5 is attempting to verify the cert and can those parameters be changed?
Brian