Multiple (many) OCSP responders, multiple CAs and certificate check

Question

Hello,&nbsp;
&nbsp;Is there a way to check certificates revocation status for a pre-loaded list of trusted CAs (50 to 100), just like a browser would do ?
&nbsp;The BIG-IP should extract the AIA field from the certificate and use it to contact the OCSP responder.
&nbsp;Is it something that the BIG-IP is aimed to do (just not check one or two OCSP responders, but many)? What is the limit?
&nbsp;Has it been done before ? Does someone have a configuration example?&nbsp;
&nbsp;Subsidiary question: if the AIA field does not exist, can the BIG-IP use the CRL field as a fallback? (again, just like internet browsers can do)&nbsp;
&nbsp;Kind regards&nbsp;

hooleylist · Answer

Hi JTH, 
&nbsp;  
&nbsp; None of this is currently possible with native configuration.  However, I think there are plans to support some of it soon.  I suggest you get in touch with your F5 system engineer or account manager who can provide you with more detail. 
&nbsp;  
&nbsp; Thanks, Aaron

hooleylist · Answer

I think this should be possible now with a hotfix on 10.2.4 or any 11.x version: 
&nbsp;  
&nbsp; sol12570: The BIG-IP SSL OCSP authentication module does not honor AIA extensions in client certificates 
&nbsp; https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12570.html 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Multiple (many) OCSP responders, multiple CAs and certificate check

2 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

F5 Distributed Cloud – Multiple custom certificates for HTTP/TCP LB

Re: Management Certificate

Large payload post requests aren't responding

Automate Let's Encrypt Certificates on BIG-IP

Change cookie domain in HTTP::respond