For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jstaf's avatar
jstaf
Icon for Nimbostratus rankNimbostratus
Dec 02, 2010

Multiple (many) OCSP responders, multiple CAs and certificate check

Hello,

 

 

Is there a way to check certificates revocation status for a pre-loaded list of trusted CAs (50 to 100), just like a browser would do ?

 

The BIG-IP should extract the AIA field from the certificate and use it to contact the OCSP responder.

 

Is it something that the BIG-IP is aimed to do (just not check one or two OCSP responders, but many)? What is the limit?

 

Has it been done before ? Does someone have a configuration example?

 

 

Subsidiary question: if the AIA field does not exist, can the BIG-IP use the CRL field as a fallback? (again, just like internet browsers can do)

 

 

Kind regards

 

application delivery
dev
devops
iRules

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 03, 2010
    Hi JTH,

     

     

    None of this is currently possible with native configuration. However, I think there are plans to support some of it soon. I suggest you get in touch with your F5 system engineer or account manager who can provide you with more detail.

     

     

    Thanks, Aaron
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Nov 21, 2012
    I think this should be possible now with a hotfix on 10.2.4 or any 11.x version:

     

     

    sol12570: The BIG-IP SSL OCSP authentication module does not honor AIA extensions in client certificates

     

    https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12570.html

     

     

    Aaron