Overview: Configure OCSP Authentication

About OCSP authentication

BIG-IP Next Access supports authenticating and authorizing the client against the Online Certificate Status Protocol (OCSP). OCSP is a mechanism used to check whether an SSL/TLS certificate (X.509 digital certificate) is valid or has been revoked by sending the certificate information to a remote OCSP responder. This status helps web browsers check an HTTPS website’s digital certificate and validate its hostname and private key to ensure secure communication. OCSP is used as an alternative to the certificate revocation list (CRL). However, it is more effective and efficient than CRL, as it does not require a list to be downloaded to maintain up-to-date certificate status information.

The OCSP Auth agent ensures that BIG-IP Next Access always obtains real-time revocation status from the OCSP responder during the certificate verification process. The responder maintains up-to-date information about the certificate’s revocation status.

The OCSP flow occurs as follows:

  1. The user requests access to a service on the BIG-IP Next and provides a certificate.

  2. BIG-IP Next sends a request for certificate status information to the OSCP responder.

  3. The OCSP responder checks the request’s validity with a trusted CA and responds with a good, revoked, or unknown response.

  4. If the OCSP response is good, BIG-IP Next allows the session to be established, and the client can access the service.

Configure OCSP Authentication

You can configure OCSP authentication using the following methods:

Configure OCSP Authentication using BIG-IP Next Central Manager