Forum Discussion
Why is OCSP response caching not working with Client Certificate Authentication?
Hi everyone,
I'm implementing OCSP client certificate authentication on BIG-IP using a custom OCSP Auth profile.
I see that BIG-IP sends a new OCSP request for each connection.
I’ve tried disabling the Nonce option and setting custom values for Status Age and Validity Period, but it didn’t change the behavior — no caching happens.
Also, I confirmed that caching seems to work only in OCSP stapling scenarios , but not when validating client certificates.
Question:
Is it expected that OCSP Auth profiles do not support any form of caching,
Is there a supported workaround to avoid redundant OCSP traffic or should I configure a CRL?
Thanks in advance!
Hi sjerbi
Yes, this is expected behavior. OCSP response caching is only supported for OCSP stapling scenarios, where the BIG-IP acts as a server and provides stapled OCSP responses during TLS handshakes. When validating client certificates, the system doesn’t cache OCSP responses and sends a new request for each connection.
Refer: https://my.f5.com/manage/s/article/K75106155
2 Replies
- VGF5
Cumulonimbus
Hi sjerbi
Yes, this is expected behavior. OCSP response caching is only supported for OCSP stapling scenarios, where the BIG-IP acts as a server and provides stapled OCSP responses during TLS handshakes. When validating client certificates, the system doesn’t cache OCSP responses and sends a new request for each connection.
Refer: https://my.f5.com/manage/s/article/K75106155
- sjerbi
Nimbostratus
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com