Why is OCSP response caching not working with Client Certificate Authentication?

Question

Hi everyone,I'm implementing OCSP client certificate authentication on BIG-IP using a custom OCSP Auth profile.I see that BIG-IP sends a new OCSP request for each connection.I’ve tried disabling the Nonce option and setting custom values for Status Age and Validity Period, but it didn’t change the behavior — no caching happens.Also, I confirmed that caching seems to work only in OCSP stapling scenarios , but not when validating client certificates.Question:Is it expected that OCSP Auth profiles do not support any form of caching,Is there a supported workaround to avoid redundant OCSP traffic or should I configure a CRL?Thanks in advance!

vgf5 · Accepted Answer

Hi sjerbi​&nbsp;&nbsp;Yes, this is expected behavior. OCSP response caching is only supported for OCSP stapling scenarios, where the BIG-IP acts as a server and provides stapled OCSP responses during TLS handshakes. When validating client certificates, the system doesn’t cache OCSP responses and sends a new request for each connection.&nbsp;Refer: https://my.f5.com/manage/s/article/K75106155&nbsp;&nbsp;&nbsp;

Forum Discussion

Why is OCSP response caching not working with Client Certificate Authentication?

2 Replies

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Does F5 Rules for AWS WAF - Common Vulnerabilities & Exposures Mitigate Log4J vulnerabilities

Credentialed Scanning - F5OS - Rseries

WebSocket connection to 'wss://...' failed: Invalid frame header

f5 asm reporting aggregate

rSeries 4600 additional Core Enable

Related Content

Automating Certificate Management on F5 BIG-IP

APM Clientless certificate authentication

BIG-IQ Client Certificate (PKI) Authentication

Automating ACMEv2 Certificate Management on BIG-IP

COVID-19 Response: F5 Certifications Q&A

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS