Forum Discussion

HQuest_357338's avatar
HQuest_357338
Icon for Altostratus rankAltostratus
Apr 01, 2018

OCSP: Bad Request

Hello all. I'm trying to implement OCSP stapling and OCSP monitoring for my SSL certificates. OCSP stapling is enabled but never turned on, and OCSP monitoring fails with "OCSP Connection Error: HT...
BIG-IP
ocsp
security
  • HQuest_357338's avatar
    HQuest_357338
    Apr 01, 2018

    Very different POST requests... and this definitively nailed the problem.

     

    From my browser, the tbsRequest has the reqCert with issuerNameHash, issuerKeyHash and serialNumber for the certificate.

     

    From the F5, apart of the reqCert, the tbsRequest also sends a requestorName of type directoryName, and sends a copy of the certificate defined under OCSP > Request signing as optionalSignature.

     

    However this OCSP does not requires (or expects) to sign anything, and by taking it away, SSL certificate status went green instantly. And the OCSP response now contains the OCSP Response Status: successfull as it should.

     

    Seems there was one combination I didn't tried... Thanks for the hint, it was spot on.

     

Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Apr 01, 2018

Does your packet capture show the OCSP request that is being sent to the OCSP responder?

 

Can you compare the working request with the failed request?