OCSP Cache

Question

Hello all&nbsp;
We need to implement an OCSP authentication profile on our LTM system to verify the revocation status of client certificates.&nbsp;
Does anyone know if it's possible for the LTM to cache the response from the OCSP Responder to help minimise the number of requests needed?&nbsp;
Thank you. &nbsp;

morten_marstra1 · Answer

Hi,&nbsp;
You can change the caching options in the ocsp stapling profile.
Please have a look at the following article, by Jason Rahm:
https://devcentral.f5.com/articles/configuring-ocsp-stapling-on-big-ip&nbsp;
Morten&nbsp;

morten_marstran · Answer

Hi,&nbsp;
You can change the caching options in the ocsp stapling profile.
Please have a look at the following article, by Jason Rahm:
https://devcentral.f5.com/articles/configuring-ocsp-stapling-on-big-ip&nbsp;
Morten&nbsp;

devlin_t_149357 · Answer

Hi Morten&nbsp;
Thanks for your quick response. We don't want to do OCSP stapling. Our situation is that we have a VS to which the client connects. We've applied a Client SSL Profile to terminate the TLS. We also have Client Authentication turned on so the LTM sends a certificate request. We then need to check the revocation of the client's certificate using OCSP. We have configured an OCSP authentication profile, see: &nbsp;
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-profiles-reference-12-0-0/8.html&nbsp;
...the client has asked if the LTM can cache the OCSP response from the Responder so the LTM does not need to send an OCSP request for the same client every time they make a request.&nbsp;
Thanks.&nbsp;

devlin_t_149357 · Answer

Hi Morten&nbsp;
Thanks for your quick response. We don't want to do OCSP stapling. Our situation is that we have a VS to which the client connects. We've applied a Client SSL Profile to terminate the TLS. We also have Client Authentication turned on so the LTM sends a certificate request. We then need to check the revocation of the client's certificate using OCSP. We have configured an OCSP authentication profile, see: &nbsp;
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-profiles-reference-12-0-0/8.html&nbsp;
...the client has asked if the LTM can cache the OCSP response from the Responder so the LTM does not need to send an OCSP request for the same client every time they make a request.&nbsp;
Thanks.&nbsp;

morten_marstra1 · Answer

Ah, I missed the part about client certificates. Sorry, but I don't know if what you want can be done.&nbsp;
Regards,
Morten&nbsp;

Forum Discussion

OCSP Cache

9 Replies

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

SSO login for APM Profiles

Virtual Server Configuration requirements for ISO 8583 traffic (Single persistent TCP session)

threat hunting guide

Webtop which has VNC for macos users

Floating IP responds from wrong VLAN/trunk

Related Content

Why is OCSP response caching not working with Client Certificate Authentication?

Configuring OCSP Stapling on BIG-IP

What is Web Cache Exploitation?

Building an OpenSSL Certificate Authority - Configuring CRL and OCSP

OCSP Responder

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS