Client Authentication - Address of the OCSP responder using AIA extension (LTM only)

Hello folks,

With regards to PSD2 Directive we would like to provide TPP (third-party payment service provider) authentication in LTM (without APM) via OCSP.

Certificates need to be validated against different OCSP responders, based on the X509 AIA extension. "Authority Information Access".

The idea is the following:

BIG-IP to authenticate the client (SSL) and to check the client’s certificate revocation status via OCSP + to send X-Client-Certificate to the back-end for further processing (already done via iRule).

I have found that there is out of the box irule "_sys_auth_ssl_ocsp", but not sure what is its point exactly and if this irule is trying to reach the OCSP responders using the AIA? Also there are some cases/articles in devcentral which points out that if we leave the URL in the OCSP Responders Configuration under Local Traffic ›› Profiles : Authentication : OCSP Responders ›› New OCSP Responder... - the BIG-IP will use the AIA to contact the OCSP Responders.

To get things more complicated .. we need to go to OCSP responders via explicit outbound proxy.

Will appreciate any kind of advise and help.

Thank you!

application delivery

LTM

ocsp

Forum Discussion

Client Authentication - Address of the OCSP responder using AIA extension (LTM only)

Recent Discussions

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

F5 CIS, TLS Extensions, and troubleshooting

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Doing mTLS Authentication per URL

add /browerWeb Extension after domain name

Using VPC Endpoints with Cloud Failover Extension