OCSP Configuration

I am trying to get OCSP to work with both Device and User Certificates. I have managed to confirm that everything works using the command line however I cannot seem to figure out the proper responder configuration within Big-IP.

These work:

openssl ocsp -issuer issuing-ca-6.cer -cert myusercert.cer -url http://10.1.1.1/ocsp -CAfile ca-bundle.crt -no_nonce
openssl ocsp -issuer issuing-ca-6.cer -cert mydevicecert.cer -url http://10.1.1.1/ocsp -CAfile ca-bundle.crt -no_nonce

Both commands respond with “Response verify OK” plus a message indicating if the certificate is revoked or good. Revoking a cert changes the status so I believe all is good when using the CLI.

Our PKI environment has a root and multiple issuing CAs. issuing-ca-6.cer is the CA that signed the server certificate for the OCSP responder server. ca-bundle.crt includes the root and all issuing CAs.

Setup is as follows:

/ras/xxx-internal-ca_profile has a Trusted CA of ca-bundle.crt as used on the command line. Other parameters are default.

I have tried many options for the Responder config which at the moment looks like this. I presume this is where my problem lies:

Although openssl always provides the correct response, the Access Policy always tells me the certificate is revoked. I can confirm the certificate is being read properly because a sessiondump shows all of the certificate attributes.

Any guidance would be appreciated. Thanks.

APM 12.1.1