For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ray_74718's avatar
Ray_74718
Icon for Nimbostratus rankNimbostratus
Dec 11, 2013

Failed to initialize OCSP Auth Module

Hi all,   I want to implement OCSP Auth with APM to Microsoft PKI. On-Demany-Cert Auth is working. I don't see any communication in tcpdump to ocsp responder.   Erro Message: 'failed to initial...
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Dec 15, 2013

I did a test with openssl, but seems that microsoft ca does not allow post requests

 

  1. The Microsoft OCSP service does support POST requests, so there may be a configuration issue here. Also, by default the Microsoft OCSP responder URL has the format: http://hostname/ocsp. Are you using this URL?

     

  2. In the event that your responder did not support POST requests, the APM OCSP client performs POST requests, so that could be an issue. But because you're not seeing the APM OCSP client communicate at all, I'd suspect something else.

     

  3. If you're using a host name in the config and in your OpenSSL command, can the LTM resolve this name to the correct IP?

     

  4. Last, what's in your MY-ROOT-CA.pem file? It needs, at a minimum, the direct issuer of the client's cert.