Sam_Hall
Nimbostratus
Nimbostratus@Torsten, I think you'll find that after a short time the cached response would be invalid as I'm lead to believe the OCSP response has it's own expiry. But I'm new to this OCSP stapling so maybe someone with more experience could chime in.
I generally don't revoke certificates, I just destroy them as best I can along with the private keys after I've got a replacement cert+key pair setup on the F5. The revocation process is more complicated and less reliable than starting over. I'd only use revocation if a private key was stolen.
I eventually got rid of my Firefox error, I think it had something to do with the order of the certificates. It turned out that my stapled OCSP data was actually useless. Browsers other than Firefox just ignored it and fetched it from the source. Once I got it working, I found still there was no chain certificate getting stapled so I figure I'll disable it for now as it seems like a flakey feature.