Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

OCSP Configuration

I am trying to get OCSP to work with both Device and User Certificates. I have managed to confirm that everything works using the command line however I cannot seem to figure out the proper responder configuration within Big-IP.

These work:

openssl ocsp -issuer issuing-ca-6.cer -cert myusercert.cer -url http://10.1.1.1/ocsp -CAfile ca-bundle.crt -no_nonce
openssl ocsp -issuer issuing-ca-6.cer -cert mydevicecert.cer -url http://10.1.1.1/ocsp -CAfile ca-bundle.crt -no_nonce

Both commands respond with “Response verify OK” plus a message indicating if the certificate is revoked or good. Revoking a cert changes the status so I believe all is good when using the CLI.

Our PKI environment has a root and multiple issuing CAs. issuing-ca-6.cer is the CA that signed the server certificate for the OCSP responder server. ca-bundle.crt includes the root and all issuing CAs.

Setup is as follows:

Image Text Image Text

/ras/xxx-internal-ca_profile has a Trusted CA of ca-bundle.crt as used on the command line. Other parameters are default.

Image Text

I have tried many options for the Responder config which at the moment looks like this. I presume this is where my problem lies:

Image Text

Although openssl always provides the correct response, the Access Policy always tells me the certificate is revoked. I can confirm the certificate is being read properly because a sessiondump shows all of the certificate attributes.

Any guidance would be appreciated. Thanks.

APM 12.1.1

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

When you are testing from command line, I assume you are doing this from the BIG-IP management interface? Which has a route to the OCSP responder on the 10.1.1.0 network?

Does your Self-IP have a route to this network as well?

What is your OCSP Responder? Windows, Corestreet, Tumbleweed? Do you have nonce enabled by default on the responder and off on the OCSP profile?

0