Forum Discussion
f5mkuDefault
Cirrus
CirrusOCSP Responder
Hi guys, I just wanted to know if anyone of you here had already setup an ocsp responder? We have this setup but not really sure if I am doing it correctly. So the setup goes like this. Our AD...
Hi Lidev, thanks for responding...This is actually how I configured but I am not too sure if this is correct, however from the packet capture now I can see ocsp request and ocsp response already, I see we are hitting the remote ocsp. We don't want to use stapling but rather remote ocsp authentication but I am not too sure if I should enable the client authentication.
Would you be able to advise below if all are correct or if anything i missed?
- I created the "ocsp responder", this is where i put the "ocsp responder url".
- I created "ocsp configuration" and attached the "ocsp responder"
- I created "ocsp profile" and attached the "ocsp configuration"
- On the "application virtual server" I attached the "ocsp profile" under the "Authentication profile"
- On the "ssl client profile" of the application virtual server I have enabled the "client authentication", change "client certificate" from ignore to require and then apply the ca certificate under the trusted certificate authorities.
Test result:
- The moment user launch the url the browser prompt to select the certificate
- Select and click OK but page error
From the dump:
I see ocsp request and ocsp response and the status of ocsp response is "unaothorized".
From this point I can tell something wrong with the remote ocsp, however I want to know if my configuration are all correct.
Please, kindly advise. Thanks a lot.
f5mkuDefaultCirrus
CirrusHi Lidev, thanks for responding...This is actually how I configured but I am not too sure if this is correct, however from the packet capture now I can see ocsp request and ocsp response already, I see we are hitting the remote ocsp. We don't want to use stapling but rather remote ocsp authentication but I am not too sure if I should enable the client authentication.
Would you be able to advise below if all are correct or if anything i missed?
- I created the "ocsp responder", this is where i put the "ocsp responder url".
- I created "ocsp configuration" and attached the "ocsp responder"
- I created "ocsp profile" and attached the "ocsp configuration"
- On the "application virtual server" I attached the "ocsp profile" under the "Authentication profile"
- On the "ssl client profile" of the application virtual server I have enabled the "client authentication", change "client certificate" from ignore to require and then apply the ca certificate under the trusted certificate authorities.
Test result:
- The moment user launch the url the browser prompt to select the certificate
- Select and click OK but page error
From the dump:
I see ocsp request and ocsp response and the status of ocsp response is "unaothorized".
From this point I can tell something wrong with the remote ocsp, however I want to know if my configuration are all correct.
Please, kindly advise. Thanks a lot.
Lidev
MVP
MVPDifficult to say without having the configuration files of the BIP-IP but in general it looks OK.
Moreover, if now you see ocsp request/response it's a good sign.
It actually looks like you have problem with the remote ocsp server.
Regards