Configuring OCSP Stapling on BIG-IP

When setting up an SSL connection the cert tells you its expiration, but how do you tell if the SSL Cert has been revoked? There are multiple ways to do this. The first is the Certificate Revocation ...
Published Jan 26, 2016
Version 1.0
BIG-IP
ocsp
security
ssl
Torsten_Sorger's avatar
Torsten_Sorger
Icon for Nimbostratus rankNimbostratus
Nov 01, 2017

@Sam: I would expect this too but after waiting for roughly one day the certificate was still shown as valid until I manually deleted the OCSP cache...

Regarding the timeout of OCSP stapling I tested against the website of our CA:

echo HEAD / HTTP/1.0 | openssl s_client -connect www.digicert.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

Result:

OCSP response:
======================================
    OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 3DD350A5D6A0ADEEF34A600A65D321D4F8F8D60F
    Produced At: Oct 30 00:12:54 2017 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 49F4BD8A18BF760698C5DE402D683B716AE4E686
      Issuer Key Hash: 3DD350A5D6A0ADEEF34A600A65D321D4F8F8D60F
      Serial Number: 0793EC89595DBA606D1FD9F7BE389802
    Cert Status: good
    This Update: Oct 30 00:12:54 2017 GMT
    Next Update: Nov  5 23:27:54 2017 GMT

So it seems the timeout is seven days which I find rather irritating, or is this just a fixed renewal which is independent of revoking certificates? Nevertheless I did now set the timeout to 1800 seconds and see how this will perform...

Any further advise appreciated 🙂