justin_westover
Sep 08, 2016Nimbostratus
OCSP Responders and Configuration Profiles
We're performing client mutual authentication on a few of our sites and we want to verify that the cert being presented by the client hasn't been revoked. We're using OCSP profiles to do this but we're running into a problem in our testing. I've setup an OCSP responder for each of the CAs that we support (Verisign, DigiCert, Entrust, GoDaddy, Thawte, etc...). I then created a configuration profile and assigned that configuration profile to the 'ssl_ocsp' authentication profile.
The problem, the F5 always queries the first OCSP responder in the configuration profile even if that isn't the responder for the CA that signed the certificate. Thoughts?