OCSP Stapling

Hello, I have successfully configured OCSP Stapling profile with some help from F5 Support (thanks Melina)

I have a:

• Wildcard certificate signed by thawte (let's name it PFX)

   

• thawte intermediate certificate (let's name it CRT-INTR)

   

• thawte root certificat (let's name it CRT-ROOT)

   

• No idea which Sign Hash algo is used by thawte OCSP Responders

   

So the guide is here:

• Upload to BIG-IP client certificate PFX

   

• Upload to BIG-IP certificate bundle. First intermediate CRT-INTR, next root CRT-ROOT. If your chain is deeper, than you need to upload INTR1,INTR2,ROOT [BUNDLE]

   

• Create default DNS Resolver in Network -> DNS Resolvers -> DNS Resolver List [DNS]

   

• Create OCSP Stapling profile Local Traffic -> Profiles -> SSL -> OCSP Stapling [OCSP]

   

• Use created earlier DNS Resolver [DNS], use created earlier Trusted Certificate Authorities [BUNDLE], set Status Age to 86400

   

• Create Client SSL profile with selected created earlier OCSP Stapling profile

   

• Test each Sign Hash algo (SHA1/SHA256) against external OCSP Stapling checker, like https://www.ssllabs.com/ssltest/