Nimbostratus
Is it possible to insert client certificate into ocsp authentication request sent by ltm to the responder?
I know this request is actually a http post so maybe the certificate could be inserted as a http header.
But couldn't find any informations about that...
Cirrostratus
What are you trying to do?
I think you can check the option for 'Allow Certificates' in the OCSP Responder profile to have LTM insert the cert in the OCSP request:
Creating an OCSP responder object
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_auth_profiles.html
Allow Certificates - Allows the addition of certificates to an OCSP request.
Aaron
Nimbostratus
thank you for your reply.
Actually, we are using Bigip version 9.3.1 but in the responder profile there is the option "Allow certificates" as well.
I traced the ocsp request sent from bigip but I couldn't see any certificate inside the post.
We are tryng to pass the client certificate to the responder so that a validation authority could extract some info from certificates such as CRL distribution point and so on.
Now, we are planning to upgrade to 10.x during next months but, still, in version 9.3.1 the option "Allow certificates" doesn't seem to work as expected.
Any ideas?
Cirrostratus
I've tested OCSP validation in 9.4.8 and 10.1, but not for sending the cert. You could open a case with F5 Support to look into this.
Be aware that 9.3 is going out of support on 12 Mar. So it would be a good idea to upgrade soon.
sol5903: BIG-IP software support policy
https://support.f5.com/kb/en-us/solutions/public/5000/900/sol5903.html
Aaron