Forum Discussion

Re: Failed to initialize OCSP Auth Module

How do you have your OCSP AAA configured? At a minimum you need:

  1. URL: OCSP is generally exposed as an HTTP URL (ex. http://ocsp.example.com:80), so this is where you'd enter that URL.

  2. Certificate Authority File (or path): An OCSP request requires the serial number of the cert and the identity of the cert's issuer so that the OCSP service knows which CRL to check. Depending on the depth of your CA infrastructure this could be a single CA or a multi-level structure of multiple CAs and subordinate CAs, so this field will either need a single CA file or a bundle of CAs in a text file. The OCSP agent uses the Authority Key Identifier in the client cert to find the correct CA in the bundle. This file can also be used to validate the signature of the returning signed response if the OCSP responder's certificate is issued by one of these CAs.

The following options are also helpful but not always required:

  1. VA File: If the OCSP responder's certificate is not issued by one of the CA certificates in your bundle, then you'll need a separate certificate here to validate the signature of the returned response.

  2. Ignore AIA: By default, if the client cert has an Authority Info Access value, generally a pointer to a remote OCSP, it will follow that URL if the BIG-IP can resolve and contact this service. If you want it to ignore the AIA and use the URL that you've specified, check this box.

  3. Verify: If for whatever reason your OCSP agent cannot validate the response, an unusual requirement or some signature mismatch, you can uncheck the Verify option and allow the agent to just read the response without trying to validate it.

The other settings are important, but you'll probably not have to adjust them from their default values. As an additional troubleshooting step, you can copy the client's cert to the BIG-IP management shell and perform an OCSP query from the command line to see if there's any type of connectivity or other issues:

openssl ocsp -issuer [issuer cert] -cert [client cert] -url [OCSP URL] -CAfile [CA cert]

** You can optionally add -VAfile if you need to use a VA certificate.
No RepliesBe the first to reply