OCSP Stapling

I managed to get a working environment... As I work with several partitions and routing domains I had several other issues to deal with...

The following steps were done to finally get OCSP stapling to work:

1. Configure a DNS resolver (forward zone: '.')
2. Create profile OCSP Stapling (advanced settings)
   • Configure the DNS resolver from 1
   • Set Trusted CA and Trusted Responders (make sure the certificate is in the bundle [if you use the bundle]!)
   • Configure Status Age to 86400 (default 300, which resulted in errors)
3. Create / modify the SSL Client Profile
   • Modify the certificate key chain to add the OCSP Stapling Parameters.
4. Connect the SSL Client Profile to the Virtual Server..

My issues:

• Trusted CA/Responders did not contain the certificate used by the OCSP responder (signing)
• Status Age (default value)

Results..

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 42B6511E20AE925461D1611744ECB5A71A74D039
Produced At: May  7 03:35:38 2015 GMT
Responses:
Certificate ID:
  Hash Algorithm: sha1
  Issuer Name Hash: D1F1B576F9EEC0C10F7AFC7C3124A9C3625D7C61
  Issuer Key Hash: EA4E7CD4802DE5158186268C826DC098A4CF970F
  Serial Number: 1121283877D6C3E4AD590147B7F9B0AB5A76
Cert Status: good
This Update: May  7 03:35:38 2015 GMT
Next Update: May  7 15:35:38 2015 GMT

Troubleshooting tips:

1. Make sure your BigIP can resolve the OCSP Responder domain (using DNS)
2. Make sure connectivity to and from DNS/Responder is available (usually HTTP -> see certificate -> Authority Information Access)
3. Make sure you receive a valid response from the OCSP Responder (including valid times)
4. Check if your configuration contains valid Trusted CA/Trusted Responder and Status Age configuration