Configuring OCSP Stapling on BIG-IP
When setting up an SSL connection the cert tells you its expiration, but how do you tell if the SSL Cert has been revoked? There are multiple ways to do this. The first is the Certificate Revocation ...
Published Jan 26, 2016
Version 1.0JRahm
Admin
Joined January 20, 2005
JRahm
Admin
Joined January 20, 2005
Torsten_Sorger
Nov 01, 2017Nimbostratus
@Sam: I would expect this too but after waiting for roughly one day the certificate was still shown as valid until I manually deleted the OCSP cache...
Regarding the timeout of OCSP stapling I tested against the website of our CA:
echo HEAD / HTTP/1.0 | openssl s_client -connect www.digicert.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
Result:
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 3DD350A5D6A0ADEEF34A600A65D321D4F8F8D60F
Produced At: Oct 30 00:12:54 2017 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 49F4BD8A18BF760698C5DE402D683B716AE4E686
Issuer Key Hash: 3DD350A5D6A0ADEEF34A600A65D321D4F8F8D60F
Serial Number: 0793EC89595DBA606D1FD9F7BE389802
Cert Status: good
This Update: Oct 30 00:12:54 2017 GMT
Next Update: Nov 5 23:27:54 2017 GMT
So it seems the timeout is seven days which I find rather irritating, or is this just a fixed renewal which is independent of revoking certificates? Nevertheless I did now set the timeout to 1800 seconds and see how this will perform...
Any further advise appreciated 🙂