Hello everyone, I am currently tasked with building a dynamic OCSP responder object for use with PSD2 and open banking. The requirement for this responder is that is able to dynamically inspect the AIA section of the mandated client authentication certificate to pull out the OCSP responder endpoint, then call it, to check the revocation status of the clients certificate that they presented.
The question I have is around how to configure the OCSP auth object in APM. The use case that I need to solution for involves multiple (possibly hundreds) of different CA's across the world being allowed to issue PSD2 client certificates that I then need to check their associated revocation status against, with the BIGIP APM workflow, using the OCSP auth object.
My understanding is that I can use the AIA feature of the OCSP auth object, and by leaving the "Ignore AIA" checkbox unchecked, this will instruct the APM OCSP auth service to use the OCSP endpoint embedded with the AIA section of the client cert, instead of having to create a separate responder object for each of the 100 or so possible CA responder endpoints that could present themselves.
If my understanding is correct, how do I complete the CA authority drop down part of the configuration for this "generic" AIA OCSP checker? I do not know what CA's are currently in place and indeed which ones will be in place in 6 months time - i.e. there maybe more CAs that come on line for this PSD2 use case.
Is anyone able to confirm my understanding and possibly provide a steer as to how I should solution for this particular use case, using APM or indeed another BIGIP approach.
Hello, I think this might work if you leave the "Ignore AIA" unchecked and leave the URI field in the OCSP Responder blank. I believe it would then use the URI from the Cert itself.
thanks for this Dave! One thing I notice when I do this is that the object seems to require a Certificate Authority file to be set regardless of whether AIA is checked or unchecked. There is no option in the drop down for 'none' or pull CA authority from the certificates AIA section.. Any ideas? I guess I can just try to select any old CA to get the object to complete so I can then try it out.. just seems a bit strange that its mandating that I supply something here, when the whole purpose of the AIA behaviours are that it (should) dynamically retrieve the ocsp responder endpoint and its associated CA file from the certificate rather than having to specify it manually/explicitly.
I've raised a formal support ticket with F5 as the information on this is pretty sparse in details to say the least. If I get anything useful from that route I will be sure to post it back in here for suture reference in case others need it.
Yes, that does not seem to be much useful info on that part of the configuration. From the internal help I found this:
"Specifies the name of the file containing trusted CA certificates used to verify the signature on the OCSP response.
Note: The OCSP responder works with files in PEM encoding format. If a file was in DER format when it was imported, it remains in DER format in the BIG-IP SSL certificate file store. Transform any certificate authority file for use with OCSP responder into PEM format and then import it."