Forum Discussion

Jeroen_V_95572's avatar
Icon for Nimbostratus rankNimbostratus
Aug 22, 2011

Electronic ID - user authentication with ocsp





I have a problem regarding my BIG IP ASM installation. We have an application that is requesting a certificate to login.


This is an Electonic Identity that is issued by our governement. The current setup is:


- Made an OCSP listener to the correct IP / URL


- Made an authentication configuration (Local traffic --> profiles) with the above OCSP listener in it


- Made an authentication profile with the above configuration and ssl_ocsp as profile


- Uploaded the Root CA from


- applied a ssl client profile with a correct SSL certificate and client authentication enabled with following options:


- Client certificate: request


- Certificate chain traversal depth: 10


- Advertised certificate authorities: Root CA



- Apply the authentication profile to the virtual server



When I go to that site I get a popup to enter my pin code on my e-id and send my citizen certificate. But nothing is happening, the only message I get is page can't be displayed. Also when I'm doing a tcpdump on the ocsp repsonder IP no traffic is generated when I sent my certificate.



Could someone help me on this issue, as mentioned in the manual this should be the correct way to implement an authentication profile with OCSP. The other problem is that I'm not sure about the Root CA because if I'll go to the official website I see for every month a new crt file + the ROOT CA. Is their a way to bundle them an apply these on an authentication profile !



Thanks in advance !








2 Replies

  • Hi Jeroen,



    Which LTM version are you testing with? Are you enforcing a client cert with OCSP checking for all URIs or selectively? If you remove the OCSP portion of the config does the client cert validation work?



    I tested an OCSP iRule for selective cert requesting by URI on v9.4.8:




    You could either use that as an example to add debug logging for your iRule or update it for 10.x to make it CMP compatible.



  • Hi Aaron ,



    Thanks for your reply, I am running v10.2.1 so normally it shouldn't be a problem.



    It's checking it for all those URI's and if I disable the authentication profile I still get a certificate request from our appliance.



    I noticed that I also have to configure an irule to insert the serial number in an http header for the web application.


    When I was doing that I thought lets debug some things, so first I copy the X509 detail into the session table when a client certificate is presented. Then when a HTTP request i look those values up and it's reading those values correctly the only error I get and actually it's the most important one "certificate not trusted" so my trusted CA is not correct at this moment.



    But really a nice feature those Irules, nice to debug those things !