Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

ocsp auth

3 Topics

SSL PROFILE - How to use multiple SSL Profile Client in Virtual Server
Hello guys, I have a VDI portal that runs through an APM. This portal uses in its VS an ssl profile for a wildcard certificate and another ssl profile for a smartcard that requests a token after entering a user and password. The question is, I can't use both profiles at the same time, I've already changed the Default SSL Profile for SNI option, but the smartcard no longer requests the token on the page. How do I use the two profiles and still manage to have the token request for the correct authentication of the page? Note: The token is requested in the Access Profile via On-Demand-Cert-Auth.
Solved
field_bad_service
Oct 18, 2022 Place Technical Forum
1.3KViews
0likes
2Comments
Why is OCSP response caching not working with Client Certificate Authentication?
Hi everyone, I'm implementing OCSP client certificate authentication on BIG-IP using a custom OCSP Auth profile. I see that BIG-IP sends a new OCSP request for each connection. I’ve tried disabling the Nonce option and setting custom values for Status Age and Validity Period, but it didn’t change the behavior — no caching happens. Also, I confirmed that caching seems to work only in OCSP stapling scenarios , but not when validating client certificates. Question: Is it expected that OCSP Auth profiles do not support any form of caching, Is there a supported workaround to avoid redundant OCSP traffic or should I configure a CRL? Thanks in advance!
Solved
sjerbi
Jul 15, 2025 Place Technical Forum
299Views
0likes
2Comments
OCSP AUTH AGENT
Hello everyone, I'm facing a situation and I need your input to figure it out what's wrong. I have a VIP where mtls is configured in the client SSL profile with the issuer's certificate as CA (we call it CA_1), and it works well. (Per info, the client cert is issued by CA_1, which is also issued and signed by a higher authority CA_2.) I wanted to make OCSP checks for client certificates so I created a simple APM policy as follows : Client --- > on-demand cert agent ---> OCSP Auth Agent ---> Allow or deny The OCSP responder is configured with the same CA_1 that's configured in the in the Client authentication in the ssl profile, and a responder (ocsp.example.com). The error I'm facing is OCSP Auth agent: Failure status 'Error querying OCSP responder host ocsp.example.com. To troubleshoot, I did few tests and we can eliminate the following possibilities: Connectivity and DNS: I can reach the responder in the http port using the FQDN. Blocked traffic : no Firewall inspection between the BIG IP and the responder. The responder is not treating the request as it should: openssl ocsp verification works fine and gets me the wanted result from the ocsp responder. The famous "missing host header" : the header is well included in the request sent by the big ip to the responder; moreover, i compared this request to the one sent when using openssl ocsp and the one sent when i test from my own computer using openssl, and they are identical when it comes to the OCSP date in the request and response frames. What's more interesting is when I capture the response sent by the responder when the apm sends the ocsp verification request, i can clearly see that's stating the status of the certificate (which is revoked in my case), but the APM logs doesn't show that; instead, when debugging, it says that the on-demand cert agent is executed (i can see the client cert and the issuer cert CA_1 as well) and then it moves successfully to the OCSP auth agent and then directly it says the querying error. Could you please tell me if you see anything i could do to troubleshoot more ? Any ideas ? PS 1 : I tried also using the CA_2, a bundle of CA_1 and CA_2, a cert chain of both, but no luck ! PS 2 : when i use the CRLDP agent, i can see the status (revoked) in the APM logs. Thank you in advance !
KEL19
Feb 15, 2026 Place Technical Forum
99Views
0likes
0Comments