Forum Discussion
Hello, I think this might work if you leave the "Ignore AIA" unchecked and leave the URI field in the OCSP Responder blank. I believe it would then use the URI from the Cert itself.
thanks for this Dave! One thing I notice when I do this is that the object seems to require a Certificate Authority file to be set regardless of whether AIA is checked or unchecked. There is no option in the drop down for 'none' or pull CA authority from the certificates AIA section.. Any ideas? I guess I can just try to select any old CA to get the object to complete so I can then try it out.. just seems a bit strange that its mandating that I supply something here, when the whole purpose of the AIA behaviours are that it (should) dynamically retrieve the ocsp responder endpoint and its associated CA file from the certificate rather than having to specify it manually/explicitly.
I've raised a formal support ticket with F5 as the information on this is pretty sparse in details to say the least. If I get anything useful from that route I will be sure to post it back in here for suture reference in case others need it.
- Dave_WFeb 17, 2020Employee
Yes, that does not seem to be much useful info on that part of the configuration. From the internal help I found this:
"Specifies the name of the file containing trusted CA certificates used to verify the signature on the OCSP response.
Note: The OCSP responder works with files in PEM encoding format. If a file was in DER format when it was imported, it remains in DER format in the BIG-IP SSL certificate file store. Transform any certificate authority file for use with OCSP responder into PEM format and then import it."