I am trying to get OCSP to work with both Device and User Certificates. I have managed to confirm that everything works using the command line however I cannot seem to figure out the proper responder configuration within Big-IP.
openssl ocsp -issuer issuing-ca-6.cer -cert myusercert.cer -url http://10.1.1.1/ocsp -CAfile ca-bundle.crt -no_nonce
openssl ocsp -issuer issuing-ca-6.cer -cert mydevicecert.cer -url http://10.1.1.1/ocsp -CAfile ca-bundle.crt -no_nonce
Both commands respond with “Response verify OK” plus a message indicating if the certificate is revoked or good. Revoking a cert changes the status so I believe all is good when using the CLI.
Our PKI environment has a root and multiple issuing CAs. issuing-ca-6.cer is the CA that signed the server certificate for the OCSP responder server. ca-bundle.crt includes the root and all issuing CAs.
Setup is as follows:
/ras/xxx-internal-ca_profile has a Trusted CA of ca-bundle.crt as used on the command line. Other parameters are default.
I have tried many options for the Responder config which at the moment looks like this. I presume this is where my problem lies:
Although openssl always provides the correct response, the Access Policy always tells me the certificate is revoked. I can confirm the certificate is being read properly because a sessiondump shows all of the certificate attributes.
Any guidance would be appreciated. Thanks.
When you are testing from command line, I assume you are doing this from the BIG-IP management interface? Which has a route to the OCSP responder on the 10.1.1.0 network?
Does your Self-IP have a route to this network as well?
What is your OCSP Responder? Windows, Corestreet, Tumbleweed? Do you have nonce enabled by default on the responder and off on the OCSP profile?