Forum Discussion
Brad_Parker
Feb 04, 2015Cirrus
OCSP Stapling
Has anyone successfully got OCSP stapling working in 11.6? If so, can you share your configuration?
Ronald_van_der_
Nimbostratus
I managed to get a working environment... As I work with several partitions and routing domains I had several other issues to deal with...
The following steps were done to finally get OCSP stapling to work:
- Configure a DNS resolver (forward zone: '.')
-
Create profile OCSP Stapling (advanced settings)
- Configure the DNS resolver from 1
- Set Trusted CA and Trusted Responders (make sure the certificate is in the bundle [if you use the bundle]!)
- Configure Status Age to 86400 (default 300, which resulted in errors)
-
Create / modify the SSL Client Profile
- Modify the certificate key chain to add the OCSP Stapling Parameters.
- Connect the SSL Client Profile to the Virtual Server..
My issues:
- Trusted CA/Responders did not contain the certificate used by the OCSP responder (signing)
- Status Age (default value)
Results..
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 42B6511E20AE925461D1611744ECB5A71A74D039
Produced At: May 7 03:35:38 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: D1F1B576F9EEC0C10F7AFC7C3124A9C3625D7C61
Issuer Key Hash: EA4E7CD4802DE5158186268C826DC098A4CF970F
Serial Number: 1121283877D6C3E4AD590147B7F9B0AB5A76
Cert Status: good
This Update: May 7 03:35:38 2015 GMT
Next Update: May 7 15:35:38 2015 GMT
Troubleshooting tips:
- Make sure your BigIP can resolve the OCSP Responder domain (using DNS)
- Make sure connectivity to and from DNS/Responder is available (usually HTTP -> see certificate -> Authority Information Access)
- Make sure you receive a valid response from the OCSP Responder (including valid times)
- Check if your configuration contains valid Trusted CA/Trusted Responder and Status Age configuration
Mike_Ripley
May 07, 2015Nimbostratus
Just noticed this thread come back, and thought I should add my $.02 again. I was able to work with support to get OCSP stapling working as well. One outstanding caveat is that we were noticing periodic drop-outs of the OCSP staples. Turns out Comodo will issue OCSP replies for four days, and F5 rejects any with "This Update" older than 86400 sec. I've got an EHF queued up for next week that should allow us to relax that window.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects