Forum Discussion

Nimbostratus

Jan 17, 2012

OCSP and BigIp Irules for External Client Certificate Requests

I went through and found an article that talks to part of my questions, but I'm still not 100% on how to accomplish this with our current F5 setup. Im trying to set this up for client certificate revo...

Cirrostratus

Jan 17, 2012

The purpose of OCSP is to verify the clients SSL certificate is valid. In order to process a client certificate on LTM, you need to use a client SSL profile. To check it against an OCSP server, you'll need an advanced client authentication (ACA) addon license. Do you have this license already? If not, you can check with your F5 or partner account manager for a quote.

Once you have the license, you can use an OCSP profile to validate the client cert. The OCSP responder can be on a TMM interface on an "internal" or "external" VLAN. There's no functional difference between the two from TMM's perspective. The OCSP call is done over HTTP, but the client to LTM virtual server traffic is via SSL.

Aaron

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

OCSP and BigIp Irules for External Client Certificate Requests

Recent Discussions

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

Related Content

CSV to Address External Datagroup File

Re: Management Certificate

My Security+ Certification Journey

Certifications for security professionals

Certificate Expiry Email alert configuration

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS