For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

vandenhoutenp_9's avatar
vandenhoutenp_9
Icon for Nimbostratus rankNimbostratus
Apr 23, 2014

User/Personal Certificate Revocation Checks

Hi guys,

 

Just a quick one, is it possible to use an OCSP responder to check the validity of user/personal certificates? I've noticed within the client SSL profile you only get the option to specify a local (uploaded) CRL to use whereas with machine certificate checks an OCSP responder can be specified to automate thus preventing manual updating of the revocation list.

 

Thanks

 

Peter

 

BIG-IP Access Policy Manager (APM)
deployment
design
management
security

3 Replies

  • vandenhoutenp_9's avatar
    vandenhoutenp_9
    Icon for Nimbostratus rankNimbostratus
    Apr 23, 2014

    Thanks Kevin. Presumably that's part of the Client Cert Inspection check but how does that work in conjunction with the client SSL profile?

     

    Thanks

     

    Peter

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 23, 2014

    OCSP is actually performed via an OCSP Auth agent in the visual policy and corresponding OCSP AAA configuration. The agent assumes that client cert data is being sent to it via an APM session variable, session.ssl.cert.whole if I remember correctly. There are generally two ways to make that happen. You can specify request or require in the client authentication section of the client SSL profile, or you can use an On-Demand Certificate auth agent in the VPE before the OCSP agent. The client SSL profile is still needed for both options to enforce client side SSL characteristics (ciphers, trust chains, server certs/keys, etc.). The On-Demand cert auth agent simply flips the client auth option from ignore to request or require and initiates an SSL renegotiation to get the client cert.