Forum Discussion

Cirrus

Dec 07, 2020

Solved

OCSP Responder

Hi guys, I just wanted to know if anyone of you here had already setup an ocsp responder? We have this setup but not really sure if I am doing it correctly. So the setup goes like this. Our AD...

application delivery

LTM

f5mkuDefault
Dec 09, 2020
Hi Lidev, thanks for responding...This is actually how I configured but I am not too sure if this is correct, however from the packet capture now I can see ocsp request and ocsp response already, I see we are hitting the remote ocsp. We don't want to use stapling but rather remote ocsp authentication but I am not too sure if I should enable the client authentication.

Would you be able to advise below if all are correct or if anything i missed?

I created the "ocsp responder", this is where i put the "ocsp responder url".
I created "ocsp configuration" and attached the "ocsp responder"
I created "ocsp profile" and attached the "ocsp configuration"
On the "application virtual server" I attached the "ocsp profile" under the "Authentication profile"
On the "ssl client profile" of the application virtual server I have enabled the "client authentication", change "client certificate" from ignore to require and then apply the ca certificate under the trusted certificate authorities.

Test result:
The moment user launch the url the browser prompt to select the certificate
Select and click OK but page error

From the dump:
I see ocsp request and ocsp response and the status of ocsp response is "unaothorized".
From this point I can tell something wrong with the remote ocsp, however I want to know if my configuration are all correct.

Please, kindly advise. Thanks a lot.

Lidev

Nacreous

Dec 08, 2020

Hi f5mkuDefault,

Your configuration seems to be fine and you can use either HTTP or HTTPs to request your OSCP Responder Server without any problem.

To validate the correct functionality of the OCSP Responder, check OCSP Reponse Status (successful (0x0) and if the Next Update extension is present in your OpenSSL command output.

You can aslo check the OCSP statistics on your F5 BIG-IP :

 show sys crypto cert-validator ocsp <profile_name>

Regards

f5mkuDefault

Cirrus

Dec 09, 2020

hi Lidev, actually it is not working. even the show crypto does not work, so I am not sure if I missed something.

Is there some configuration I need to do on the SSL Profile?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

OCSP Responder

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

Webtop which has VNC for macos users

Floating IP responds from wrong VLAN/trunk

AST Configuration Assistance

expandsSubcollections and filtering in F5 SDK

F5 i-series Guests to r-series tenants migration

Related Content

Configuring OCSP Stapling on BIG-IP

Building an OpenSSL Certificate Authority - Configuring CRL and OCSP

Load Balancing OCSP Responder Pool

OCSP through an outbound explicit proxy

OCSP: Bad Request

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS