OCSP Responder
Hi guys, I just wanted to know if anyone of you here had already setup an ocsp responder? We have this setup but not really sure if I am doing it correctly.
So the setup goes like this.
Our AD team had setup an OCSP responder server. From my end I have configured a virtual server from where the pool are the ocsp responder servers.
Then I created an ocsp profile with a url address http:\\abc.com.sg.
I am doubting why http and not https, however this is what our AD team provided as what they said they have limitation using https.
This OCSP profile I then applied to one of the public facing https url through the virtual server profile.
The objective is whenever we launch the url from internet, the LTM should perform OCSP authentication by querying with the OCSP servers.
To test is I simple perform openssl and check if there is ocsp response sent.
Anyone have experience this, am I missing something here?
Hi Lidev, thanks for responding...This is actually how I configured but I am not too sure if this is correct, however from the packet capture now I can see ocsp request and ocsp response already, I see we are hitting the remote ocsp. We don't want to use stapling but rather remote ocsp authentication but I am not too sure if I should enable the client authentication.
Would you be able to advise below if all are correct or if anything i missed?
- I created the "ocsp responder", this is where i put the "ocsp responder url".
- I created "ocsp configuration" and attached the "ocsp responder"
- I created "ocsp profile" and attached the "ocsp configuration"
- On the "application virtual server" I attached the "ocsp profile" under the "Authentication profile"
- On the "ssl client profile" of the application virtual server I have enabled the "client authentication", change "client certificate" from ignore to require and then apply the ca certificate under the trusted certificate authorities.
Test result:
- The moment user launch the url the browser prompt to select the certificate
- Select and click OK but page error
From the dump:
I see ocsp request and ocsp response and the status of ocsp response is "unaothorized".
From this point I can tell something wrong with the remote ocsp, however I want to know if my configuration are all correct.
Please, kindly advise. Thanks a lot.