Brad_Parker
Feb 04, 2015Cirrus
OCSP Stapling
Has anyone successfully got OCSP stapling working in 11.6? If so, can you share your configuration?
Hello, I have successfully configured OCSP Stapling profile with some help from F5 Support (thanks Melina)
I have a:
Wildcard certificate signed by thawte (let's name it PFX)
thawte intermediate certificate (let's name it CRT-INTR)
thawte root certificat (let's name it CRT-ROOT)
No idea which Sign Hash algo is used by thawte OCSP Responders
So the guide is here:
Upload to BIG-IP client certificate PFX
Upload to BIG-IP certificate bundle. First intermediate CRT-INTR, next root CRT-ROOT. If your chain is deeper, than you need to upload INTR1,INTR2,ROOT [BUNDLE]
Create default DNS Resolver in Network -> DNS Resolvers -> DNS Resolver List [DNS]
Create OCSP Stapling profile Local Traffic -> Profiles -> SSL -> OCSP Stapling [OCSP]
Use created earlier DNS Resolver [DNS], use created earlier Trusted Certificate Authorities [BUNDLE], set Status Age to 86400
Create Client SSL profile with selected created earlier OCSP Stapling profile
Test each Sign Hash algo (SHA1/SHA256) against external OCSP Stapling checker, like https://www.ssllabs.com/ssltest/