Creating a dynamic AIA compatible OCSP responder object
Hello everyone, I am currently tasked with building a dynamic OCSP responder object for use with PSD2 and open banking. The requirement for this responder is that is able to dynamically inspect the AIA section of the mandated client authentication certificate to pull out the OCSP responder endpoint, then call it, to check the revocation status of the clients certificate that they presented.
The question I have is around how to configure the OCSP auth object in APM. The use case that I need to solution for involves multiple (possibly hundreds) of different CA's across the world being allowed to issue PSD2 client certificates that I then need to check their associated revocation status against, with the BIGIP APM workflow, using the OCSP auth object.
My understanding is that I can use the AIA feature of the OCSP auth object, and by leaving the "Ignore AIA" checkbox unchecked, this will instruct the APM OCSP auth service to use the OCSP endpoint embedded with the AIA section of the client cert, instead of having to create a separate responder object for each of the 100 or so possible CA responder endpoints that could present themselves.
If my understanding is correct, how do I complete the CA authority drop down part of the configuration for this "generic" AIA OCSP checker? I do not know what CA's are currently in place and indeed which ones will be in place in 6 months time - i.e. there maybe more CAs that come on line for this PSD2 use case.
Is anyone able to confirm my understanding and possibly provide a steer as to how I should solution for this particular use case, using APM or indeed another BIGIP approach.
Many thanks!