Forum Discussion
NimbostratusOCSP Authenticatioin profile error with clients that don't know the certificate issuer?
If a web browser doesn't send the certification hierarchy to the F5 with OCSP authentication profile, will SSL client negotiation fail?
We have an OCSP responder and authentication profile setup in F5 LTM 10.4. We issue our own Smart Cards. When external clients, that do not know about our internal certification authority, attempt to authenticate the IE displays the page cannot be displayed error. When I try the same ssl client verification on a virtual server that isn't configured with the OCSP authentication profile, it succeeds.
Everything works internally where the client web browsers have the right Root and Sub CA's configured.
Likewise, when I import the Root and Sub CA into the external web browser authentication works as expected using the client certificate.
I'd like to get the LTM configured so it's optional. Ideally we would not need to configure external web browsers with our internal CA's.
2 Replies
Sounds like your OCSP response is not valid. Can you verify by using openssl from the F5? openssl ocsp --issuer internal_CA.crt -cert my_client_cert.cer -text -url http://ocsp.internalca.org.
You should get a response back like: Cert Status: good
Michael_57131I do think it has to do with the certification heirarchy and the F5. I am able to see the OCSP query and response when I login from a computer that has the heirarchy. however, when I use an external resource that doesn't have the heirarchy, i don't see the query, like the authentication process breaks down before it gets to the verify part.
