Why is OCSP response caching not working with Client Certificate Authentication?

Question

Hi everyone,I'm implementing OCSP client certificate authentication on BIG-IP using a custom OCSP Auth profile.I see that BIG-IP sends a new OCSP request for each connection.I’ve tried disabling the Nonce option and setting custom values for Status Age and Validity Period, but it didn’t change the behavior — no caching happens.Also, I confirmed that caching seems to work only in OCSP stapling scenarios , but not when validating client certificates.Question:Is it expected that OCSP Auth profiles do not support any form of caching,Is there a supported workaround to avoid redundant OCSP traffic or should I configure a CRL?Thanks in advance!

vgf5 · Accepted Answer

Hi sjerbi​&nbsp;&nbsp;Yes, this is expected behavior. OCSP response caching is only supported for OCSP stapling scenarios, where the BIG-IP acts as a server and provides stapled OCSP responses during TLS handshakes. When validating client certificates, the system doesn’t cache OCSP responses and sends a new request for each connection.&nbsp;Refer: https://my.f5.com/manage/s/article/K75106155&nbsp;&nbsp;&nbsp;

Forum Discussion

Why is OCSP response caching not working with Client Certificate Authentication?

2 Replies

How I did it - "High-Performance S3 Load Balancing of Dell ObjectScale with F5 BIG-IP"

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

BIG-IP Next HA failed

301 RESPONSE AND REDIRECT

How to allow Request getting blocked due to Malformed JSON data

SSH proxy implementation

ISV logging in 17.1.2.2

Related Content

Automating Certificate Management on F5 BIG-IP

APM Clientless certificate authentication

BIG-IQ Client Certificate (PKI) Authentication

Automating ACMEv2 Certificate Management on BIG-IP

COVID-19 Response: F5 Certifications Q&A

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS