Forum Discussion

jstaf's avatar
jstaf
Icon for Nimbostratus rankNimbostratus
Dec 02, 2010

Multiple (many) OCSP responders, multiple CAs and certificate check

Hello,

 

 

Is there a way to check certificates revocation status for a pre-loaded list of trusted CAs (50 to 100), just like a browser would do ?

 

The BIG-IP should extract the AIA field from the certificate and use it to contact the OCSP responder.

 

Is it something that the BIG-IP is aimed to do (just not check one or two OCSP responders, but many)? What is the limit?

 

Has it been done before ? Does someone have a configuration example?

 

 

Subsidiary question: if the AIA field does not exist, can the BIG-IP use the CRL field as a fallback? (again, just like internet browsers can do)

 

 

Kind regards

 

application delivery
dev
devops
iRules
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Dec 03, 2010
    Hi JTH,

     

     

    None of this is currently possible with native configuration. However, I think there are plans to support some of it soon. I suggest you get in touch with your F5 system engineer or account manager who can provide you with more detail.

     

     

    Thanks, Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Nov 21, 2012
    I think this should be possible now with a hotfix on 10.2.4 or any 11.x version:

     

     

    sol12570: The BIG-IP SSL OCSP authentication module does not honor AIA extensions in client certificates

     

    https://support.f5.com/kb/en-us/solutions/public/12000/500/sol12570.html

     

     

    Aaron