Forum Discussion

sjerbi's avatar
sjerbi
Icon for Nimbostratus rankNimbostratus
Jul 15, 2025
Solved

Why is OCSP response caching not working with Client Certificate Authentication?

Hi everyone,

I'm implementing OCSP client certificate authentication on BIG-IP using a custom OCSP Auth profile.

I see that BIG-IP sends a new OCSP request for each connection.

I’ve tried disabling the Nonce option and setting custom values for Status Age and Validity Period, but it didn’t change the behavior — no caching happens.

Also, I confirmed that caching seems to work only in OCSP stapling scenarios , but not when validating client certificates.

Question:
Is it expected that OCSP Auth profiles do not support any form of caching,

Is there a supported workaround to avoid redundant OCSP traffic or should I configure a CRL?

Thanks in advance!

  • Hi sjerbi​ 

     

    Yes, this is expected behavior. OCSP response caching is only supported for OCSP stapling scenarios, where the BIG-IP acts as a server and provides stapled OCSP responses during TLS handshakes. When validating client certificates, the system doesn’t cache OCSP responses and sends a new request for each connection.

     

    Refer: https://my.f5.com/manage/s/article/K75106155 

     

     

2 Replies

  • VGF5's avatar
    VGF5
    Icon for Cumulonimbus rankCumulonimbus

    Hi sjerbi​ 

     

    Yes, this is expected behavior. OCSP response caching is only supported for OCSP stapling scenarios, where the BIG-IP acts as a server and provides stapled OCSP responses during TLS handshakes. When validating client certificates, the system doesn’t cache OCSP responses and sends a new request for each connection.

     

    Refer: https://my.f5.com/manage/s/article/K75106155 

     

     

  • sjerbi's avatar
    sjerbi
    Icon for Nimbostratus rankNimbostratus

    Hi VGF5​ 

    thank you for your reply.

    Is there any solution to work around this issue?