Forum Discussion

barneb01_8208's avatar
Icon for Nimbostratus rankNimbostratus
Feb 21, 2012

SSL VS w/OCSP responder - Peer cert verify error

I have a SSL VS configured with a client ssl and OCSP authentication profile and I'm observing SSL hanshake failures even though the OCSP response status is successful (0). I enabled "bigpipe db Log.Ssl.Level debug" and received the following messages. Any ideas on how to troubleshoot this issue is appreciated.




Feb 21 14:39:44 local/tmm1 debug tmm1[5209]: 01260006:7: Peer cert verify error: unsupported certificate purpose (depth 0; cert /



Feb 21 14:39:44 local/tmm1 debug tmm1[5209]: 01260009:7: Connection error: ssl_shim_vfycert:2348: unsupported certificate purpose (42)




Below is the config I am using...



BIG-IP 10.2.1



virtual test_PUAC {


snat automap


pool test_PUAC




ip protocol tcp


auth pr_sslocsp_test_nmc_pcrt10


profiles {


http {}


tcp {}


test_PCRT_wildcard {










profile auth pr_sslocsp_test_nmc_pcrt10 {


defaults from ssl_ocsp


config ocsp_resp_nmc_pcrt10_conf


type ssl ocsp


credential source http basic auth




auth ssl ocsp ocsp_resp_nmc_pcrt10_conf {


responders ocsp_resp_test_NMC_PCRT10




ocsp responder ocsp_resp_test_NMC_PCRT10 {


url ""


ca file "PCRT_ALL.crt"


signer "PCRT_Root-wildcard.crt"


sign key "PCRT_Root-wildcard.key"




profile clientssl test_PCRT_wildcard {


defaults from clientssl


key "PCRT_Root-wildcard.key"


cert "PCRT_Root-wildcard.crt"


chain "PCRT_ALL.crt"


ca file "PCRT_ALL.crt"


client cert ca "PCRT_ALL.crt"


peer cert mode require












4 Replies

  • Hi Brian,



    It sounds like someone's cert (the client or possibly the OCSP server) isn't set with a valid purpose (client or OCSP server). Who has the cert installed?



  • Hi Aaron,


    " cert" is installed on the client (not f5) and is the cert the f5 is attempting to authenticate via OCSP. The OCSP response is successful but the f5 doesn't like the purpose of the cert. Support had me load the client cert on the f5 and run the following ocsp commands...



    openssl verify -purpose sslclient -CAfile PCRT_ALL.crt


    openssl verify -purpose sslserver -CAfile PCRT_ALL.crt



    both commands return the same result:



    error 26 at 0 depth lookup:unsupported certificate purpose





    We had the admin who provisions the certs modify the purpose and then I ran the openssl command again and got a positive result. Problem now is the OCSP server responds with an "unauthorized" OCSP response with the updated client cert.



    The unauthorized response is a different issue, but I'm curious about the following...



    What "purpose type" does the f5 expect when verifying the client cert?


    Where in the ltm config can I view how the f5 is attempting to verify the cert and can those parameters be changed?





    • barneb01_8208's avatar
      Icon for Nimbostratus rankNimbostratus

      Hi Emad, Review the "Client Authentication" settings of the SSL client profile assigned to the VS, and note the available "client certificate" options (ignore, require, request).


      The "require" setting enforces Client Certificate Authentication w/OCSP. The BIG-IP will request a client certificate and attempt to verify it. An SSL session is established ONLY if a valid client certificate from a trusted CA was presented AND if the client certificate was configured with the "ssl client" purpose.