Forum Discussion

jstaf's avatar
Icon for Nimbostratus rankNimbostratus
Dec 02, 2010

Multiple (many) OCSP responders, multiple CAs and certificate check




Is there a way to check certificates revocation status for a pre-loaded list of trusted CAs (50 to 100), just like a browser would do ?


The BIG-IP should extract the AIA field from the certificate and use it to contact the OCSP responder.


Is it something that the BIG-IP is aimed to do (just not check one or two OCSP responders, but many)? What is the limit?


Has it been done before ? Does someone have a configuration example?



Subsidiary question: if the AIA field does not exist, can the BIG-IP use the CRL field as a fallback? (again, just like internet browsers can do)



Kind regards


2 Replies

  • Hi JTH,



    None of this is currently possible with native configuration. However, I think there are plans to support some of it soon. I suggest you get in touch with your F5 system engineer or account manager who can provide you with more detail.



    Thanks, Aaron
  • I think this should be possible now with a hotfix on 10.2.4 or any 11.x version:



    sol12570: The BIG-IP SSL OCSP authentication module does not honor AIA extensions in client certificates