Forum Discussion

Brad_Parker

Cirrus

Feb 04, 2015

OCSP Stapling

Has anyone successfully got OCSP stapling working in 11.6? If so, can you share your configuration?

Nimbostratus

Dec 01, 2015

I've just done this after setting up new certs from Let's Encrypt.

For anyone else hitting issues with OCSP Stapling, I ran into a few gotchas, including:

a) 11.6.0 HF6 has a default Status Age value of 300. Had to up to 86400 as per previous posters recommendation.

b) The default Sign Hash used to identify the certificate to check is SHA256... Let's Encrypt's OCSP responder won't accept SHA256, it needs to be SHA1.

c) The Let's Encrypt's OCSP responder will not include it's own cert in the response. The "Trusted Responders" option needs to be set properly in the OCSP Stapling profile.

A bit more info at the link below, including examples of debugging using openssl CLI commands.

https://blog.routedlogic.net/?p=1235

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

OCSP Stapling

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Configuring OCSP Stapling on BIG-IP

Enable OCSP Stapling via REST API

Script for External Monitor to check server OCSP Stapling Status

Building an OpenSSL Certificate Authority - Configuring CRL and OCSP

OCSP Responder

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS