Forwarding OCSP request to a specific responder (or profile)

Question

Hi all.&nbsp;
We have this web service where we need to authenticate users (x509 mutual authentication). So we also need to verify the revocation status of users certificates. All these user certificates are signed by a bundle of cas (so the ocsp responder is not always the same).
We discovered that creating a responder leaving the URL field empty let the bigip to extract AIA field from user certificate and forward the ocsp request to the specific remote responder.
This works well.
But this AIA field is not present in all certificates.
So what we would like to do is to manually forward the request to a specific responder or profile (already configured on the bigip) the moment we detect a certificate where the AIA field is missing (we know this by reading issuer hash the moment user certificate is presented).&nbsp;
Any ideas?  &nbsp;
Thanks&nbsp;

yann_desmarest · Answer

Hi,&nbsp;
I think that the following codeshare provide what you need : &nbsp;
https://devcentral.f5.com/codeshare?sid=462&nbsp;
If you are using APM, it's even easier, you can define an OCSP AAA object, specify an URI and check "Ignore AIA"&nbsp;

Forum Discussion

Forwarding OCSP request to a specific responder (or profile)

1 Reply

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How can I get started with iCall

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Related Content

How to tell nginx to use a forward proxy to reach a specific destination

APM-Specific Features for Securing Your Website

OCSP Responder

Bidirectional Forwarding Detection (BFD) Protocol Cheat Sheet

SSH forward proxy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS