F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

f5mkuDefault's avatar
f5mkuDefault
Icon for Cirrus rankCirrus
Dec 07, 2020
Solved

OCSP Responder

Hi guys, I just wanted to know if anyone of you here had already setup an ocsp responder? We have this setup but not really sure if I am doing it correctly. So the setup goes like this.   Our AD...
application delivery
LTM
  • f5mkuDefault's avatar
    f5mkuDefault
    Dec 09, 2020

    Hi Lidev, thanks for responding...This is actually how I configured but I am not too sure if this is correct, however from the packet capture now I can see ocsp request and ocsp response already, I see we are hitting the remote ocsp. We don't want to use stapling but rather remote ocsp authentication but I am not too sure if I should enable the client authentication.

     

    Would you be able to advise below if all are correct or if anything i missed?

     

    1. I created the "ocsp responder", this is where i put the "ocsp responder url".
    2. I created "ocsp configuration" and attached the "ocsp responder"
    3. I created "ocsp profile" and attached the "ocsp configuration"
    4. On the "application virtual server" I attached the "ocsp profile" under the "Authentication profile"
    5. On the "ssl client profile" of the application virtual server I have enabled the "client authentication", change "client certificate" from ignore to require and then apply the ca certificate under the trusted certificate authorities.

     

    Test result:

    1. The moment user launch the url the browser prompt to select the certificate
    2. Select and click OK but page error

     

    From the dump:

    I see ocsp request and ocsp response and the status of ocsp response is "unaothorized".

    From this point I can tell something wrong with the remote ocsp, however I want to know if my configuration are all correct.

     

    Please, kindly advise. Thanks a lot.

     

f5mkuDefault's avatar
f5mkuDefault
Icon for Cirrus rankCirrus
Dec 09, 2020

Hi Lidev, thanks for responding...This is actually how I configured but I am not too sure if this is correct, however from the packet capture now I can see ocsp request and ocsp response already, I see we are hitting the remote ocsp. We don't want to use stapling but rather remote ocsp authentication but I am not too sure if I should enable the client authentication.

 

Would you be able to advise below if all are correct or if anything i missed?

 

  1. I created the "ocsp responder", this is where i put the "ocsp responder url".
  2. I created "ocsp configuration" and attached the "ocsp responder"
  3. I created "ocsp profile" and attached the "ocsp configuration"
  4. On the "application virtual server" I attached the "ocsp profile" under the "Authentication profile"
  5. On the "ssl client profile" of the application virtual server I have enabled the "client authentication", change "client certificate" from ignore to require and then apply the ca certificate under the trusted certificate authorities.

 

Test result:

  1. The moment user launch the url the browser prompt to select the certificate
  2. Select and click OK but page error

 

From the dump:

I see ocsp request and ocsp response and the status of ocsp response is "unaothorized".

From this point I can tell something wrong with the remote ocsp, however I want to know if my configuration are all correct.

 

Please, kindly advise. Thanks a lot.