Forum Discussion
SSL VS w/OCSP responder - Peer cert verify error
Feb 21 14:39:44 local/tmm1 debug tmm1[5209]: 01260006:7: Peer cert verify error: unsupported certificate purpose (depth 0; cert /CN=nmc60.test.com)
Feb 21 14:39:44 local/tmm1 debug tmm1[5209]: 01260009:7: Connection error: ssl_shim_vfycert:2348: unsupported certificate purpose (42)
Below is the config I am using...
BIG-IP 10.2.1
virtual test_PUAC {
snat automap
pool test_PUAC
destination 192.168.192.200:https
ip protocol tcp
auth pr_sslocsp_test_nmc_pcrt10
profiles {
http {}
tcp {}
test_PCRT_wildcard {
clientside
}
}
}
profile auth pr_sslocsp_test_nmc_pcrt10 {
defaults from ssl_ocsp
config ocsp_resp_nmc_pcrt10_conf
type ssl ocsp
credential source http basic auth
}
auth ssl ocsp ocsp_resp_nmc_pcrt10_conf {
responders ocsp_resp_test_NMC_PCRT10
}
ocsp responder ocsp_resp_test_NMC_PCRT10 {
url "http://10.16.232.247/ocsp"
ca file "PCRT_ALL.crt"
signer "PCRT_Root-wildcard.crt"
sign key "PCRT_Root-wildcard.key"
}
profile clientssl test_PCRT_wildcard {
defaults from clientssl
key "PCRT_Root-wildcard.key"
cert "PCRT_Root-wildcard.crt"
chain "PCRT_ALL.crt"
ca file "PCRT_ALL.crt"
client cert ca "PCRT_ALL.crt"
peer cert mode require
}
Brian
- hooleylistCirrostratusHi Brian,
- barneb01_8208NimbostratusHi Aaron,
- Emad_26973Cirrus
Any Update on this thread as I am facing the same issue.
- barneb01_8208Nimbostratus
Hi Emad, Review the "Client Authentication" settings of the SSL client profile assigned to the VS, and note the available "client certificate" options (ignore, require, request).
The "require" setting enforces Client Certificate Authentication w/OCSP. The BIG-IP will request a client certificate and attempt to verify it. An SSL session is established ONLY if a valid client certificate from a trusted CA was presented AND if the client certificate was configured with the "ssl client" purpose.
Brian
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com