Forum Discussion

pdkaradzhinov's avatar
Icon for Nimbostratus rankNimbostratus
Aug 26, 2019

Client Authentication - Address of the OCSP responder using AIA extension (LTM only)

Hello folks,


With regards to PSD2 Directive we would like to provide TPP (third-party payment service provider) authentication in LTM (without APM) via OCSP. 


Certificates need to be validated against different OCSP responders, based on the X509 AIA extension. "Authority Information Access".


The idea is the following:


BIG-IP to authenticate the client (SSL) and to check the client’s certificate revocation status via OCSP + to send X-Client-Certificate to the back-end for further processing (already done via iRule).


I have found that there is out of the box irule "_sys_auth_ssl_ocsp", but not sure what is its point exactly and if this irule is trying to reach the OCSP responders using the AIA? Also there are some cases/articles in devcentral which points out that if we leave the URL in the OCSP Responders Configuration under Local Traffic ›› Profiles : Authentication : OCSP Responders ›› New OCSP Responder... - the BIG-IP will use the AIA to contact the OCSP Responders.


To get things more complicated .. we need to go to OCSP responders via explicit outbound proxy.


Will appreciate any kind of advise and help.


Thank you!


No RepliesBe the first to reply