Configuring OCSP Stapling on BIG-IP
Published Jan 26, 2016
Version 1.0Was this article helpful?
@Sam: I would expect this too but after waiting for roughly one day the certificate was still shown as valid until I manually deleted the OCSP cache...
Regarding the timeout of OCSP stapling I tested against the website of our CA:
echo HEAD / HTTP/1.0 | openssl s_client -connect www.digicert.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
Result:
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 3DD350A5D6A0ADEEF34A600A65D321D4F8F8D60F
Produced At: Oct 30 00:12:54 2017 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 49F4BD8A18BF760698C5DE402D683B716AE4E686
Issuer Key Hash: 3DD350A5D6A0ADEEF34A600A65D321D4F8F8D60F
Serial Number: 0793EC89595DBA606D1FD9F7BE389802
Cert Status: good
This Update: Oct 30 00:12:54 2017 GMT
Next Update: Nov 5 23:27:54 2017 GMT
So it seems the timeout is seven days which I find rather irritating, or is this just a fixed renewal which is independent of revoking certificates? Nevertheless I did now set the timeout to 1800 seconds and see how this will perform...
Any further advise appreciated 🙂