Forum Discussion
Brad_Parker
Feb 04, 2015Cirrus
OCSP Stapling
Has anyone successfully got OCSP stapling working in 11.6? If so, can you share your configuration?
Ronald_van_der3
Nimbostratus
I managed to get a working environment... As I work with several partitions and routing domains I had several other issues to deal with...
The following steps were done to finally get OCSP stapling to work:
- Configure a DNS resolver (forward zone: '.')
-
Create profile OCSP Stapling (advanced settings)
- Configure the DNS resolver from 1
- Set Trusted CA and Trusted Responders (make sure the certificate is in the bundle [if you use the bundle]!)
- Configure Status Age to 86400 (default 300, which resulted in errors)
-
Create / modify the SSL Client Profile
- Modify the certificate key chain to add the OCSP Stapling Parameters.
- Connect the SSL Client Profile to the Virtual Server..
My issues:
- Trusted CA/Responders did not contain the certificate used by the OCSP responder (signing)
- Status Age (default value)
Results..
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 42B6511E20AE925461D1611744ECB5A71A74D039
Produced At: May 7 03:35:38 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: D1F1B576F9EEC0C10F7AFC7C3124A9C3625D7C61
Issuer Key Hash: EA4E7CD4802DE5158186268C826DC098A4CF970F
Serial Number: 1121283877D6C3E4AD590147B7F9B0AB5A76
Cert Status: good
This Update: May 7 03:35:38 2015 GMT
Next Update: May 7 15:35:38 2015 GMT
Troubleshooting tips:
- Make sure your BigIP can resolve the OCSP Responder domain (using DNS)
- Make sure connectivity to and from DNS/Responder is available (usually HTTP -> see certificate -> Authority Information Access)
- Make sure you receive a valid response from the OCSP Responder (including valid times)
- Check if your configuration contains valid Trusted CA/Trusted Responder and Status Age configuration
Ken_Schultz_525
Sep 25, 2015Nimbostratus
Found my answer
https://support.f5.com/kb/en-us/solutions/public/16000/800/sol16810.html
Beginning in BIG-IP 11.6.0 HF5 the Status Age field of the OCSP Stapling profile has a default value of 86400 seconds (1 day), and will allow a range of 0 to MAX_INT seconds to be specified.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects