NimbostratusHi guys,
Just a quick one, is it possible to use an OCSP responder to check the validity of user/personal certificates? I've noticed within the client SSL profile you only get the option to specify a local (uploaded) CRL to use whereas with machine certificate checks an OCSP responder can be specified to automate thus preventing manual updating of the revocation list.
Thanks
Peter
EmployeeThe Access Policy Manager (APM) module has this capability.
NimbostratusThanks Kevin. Presumably that's part of the Client Cert Inspection check but how does that work in conjunction with the client SSL profile?
Thanks
Peter
EmployeeOCSP is actually performed via an OCSP Auth agent in the visual policy and corresponding OCSP AAA configuration. The agent assumes that client cert data is being sent to it via an APM session variable, session.ssl.cert.whole if I remember correctly. There are generally two ways to make that happen. You can specify request or require in the client authentication section of the client SSL profile, or you can use an On-Demand Certificate auth agent in the VPE before the OCSP agent. The client SSL profile is still needed for both options to enforce client side SSL characteristics (ciphers, trust chains, server certs/keys, etc.). The On-Demand cert auth agent simply flips the client auth option from ignore to request or require and initiates an SSL renegotiation to get the client cert.