Forum Discussion
Remote User Management - LDAP Client Cert
Thank you Kevin. It is now working. The 4 issues that I think bit me are below.
- In my lab environment I did not add OCSP to the AIA extension of the CA. I reissued cert once added and then ran certutil -URL path\dev.cer. Validated the certificate against my OCSP responder.
- Imported CA cert in PEM format. (Base64)
- Configured OCSP override on the BIG-IP client-cert ldap config.
- Enabled Nonce support on my OCSP responder.
Unfortunately my frustration let me to modify all four without trying to determine which of the actually resolved it. None the less, thank you for taking the time to respond to my question. Your input is greatly appreciated.
Long ago post but I wanted to comment that after a very frustrating week of working with this I found the openssl ocsp man page response verification requires the issuer of the response is also the issuer of the certificate. So if you overload a heirarchy with just the one OCSP responder it could never pass. From their page you can run openssl to create a new PEM that has trusted extensions for the issuer of the OCSP responder.
openssl x509 -in ocspCA.pem -addtrust OCSPSigning -out trustedCA.pem
And F5 / LTM will not do the LDAP authentication with the ssl-ocsp-enable set to "off" It will just skip the LDAP lookup.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com