apm aaa ocsp
apm aaa ocsp(1) BIG-IP TMSH Manual apm aaa ocsp(1)
NAME
ocsp - Configure Online Certificate System Protocol (OCSP) responder objects.
MODULE
apm aaa
SYNTAX
Configure the ocsp component within the aaa module using the syntax shown in the following sections.
CREATE/MODIFY
create ocsp [name]
modify ocsp [name]
options:
allow-certs [true | false]
app-service [[string] | none]
ca-file ( | none)
ca-path ( | none)
cert-id-digest (sha1 | md5)
chain [true | false]
check-certs [true | false]
explicit-ocsp [true | false]
ignore-aia [true | false]
intern [true | false]
location-specific [true | false]
nonce [true | false]
sign-digest (sha1 | md5)
sign-key ( | none)
sign-key-passphrase ( | none)
sign-other ( | none)
signer ( | none)
status-age
trust-other [true | false]
url ( | none)
va-file ( | none)
validity-period
verify [true | false]
verify-cert [true | false]
verify-other ( | none)
verify-sig [true | false]
edit ocsp | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list ocsp
list ocsp [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
DELETE
delete ocsp [name]
DESCRIPTION
To implement the SSL OCSP authentication module, create an OCSP responder object and assign it to the OCSP auth agent in
your access policy.
OPTIONS
allow-certs
Specifies whether the addition of certificates to an OCSP request is enabled. The default is true.
app-service
Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
object. Only the application service can modify or delete the object.
ca-file
Specifies the name of the certificate file object containing trusted CA certificates used to verify the signature on
the OCSP response. The default is none.
ca-path
Specifies the path to the trusted CA certificates used to verify the signature on the OCSP response. The default is
none.
cert-id-digest
The cert ID digest is part of the OCSP protocol. The OCSP client (in this case, the BIG-IP system) calculates the cert
ID using a hash of the Issuer and serial number for the certificate that it is trying to verify. The options are:
sha1 Newer algorithm that provides a higher security level with a 160 bit hash length. This is the default.
md5 Older algorithm with a 128 bit hash length.
chain
Specifies whether the system constructs a chain from certificates in the OCSP response. The default is true.
check-certs
Specifies whether the LTM system makes additional checks to see if the signer's certificate is authorized to provide
the necessary status information. Use this option only for testing purposes. The default is true.
explicit-ocsp
Specifies whether the BIG-IP system explicitly trusts that the OCSP response signer's certificate is authorized for
OCSP response signing. If the signer's certificate does not contain the OCSP signing extension, setting this option to
true causes a response to be untrusted. The default is true.
ignore-aia
Specifies whether to ignore the URL contained in the certificate's AIA fields, and to always use the URL specified by
the responder instead. The default is false.
intern
Specifies whether to ignore certificates contained in an OCSP response when searching for the signer's certificate.
When you set this option to true, you must also specify the signer's certificate using either the verify-other or va-
file option. The default is true.
location-specific
Specifies whether or not this object contains one or more attributes with values that are specific to the location
where the BIG-IP device resides. The location-specific attribute is either true or false. When using policy sync, mark
an object as location-specific to prevent errors that can occur when policies reference objects, such as
authentication servers, that are specific to a certain location.
[name]
Specifies a unique name for the component. This option is required.
nonce
Specifies whether a nonce will be sent in an OCSP request. When set to false, the request is sent without a nonce.
The default is true.
partition
Displays the partition within which the OCSP responder object resides.
sign-digest
Specifies the algorithm (md5 or sha1> used to sign a request using a signing certificate and key. The default is sha1.
If you use this option, you must also set the sign-key and sign-key-passphrase options.
sign-key
Specifies the key used to sign an OCSP request. If you use this option, you must also set the sign-digest and sign-
key-passphrase options. The default is none.
sign-key-passphrase
Specifies the passphrase for the signing key. If you use this option, you must also set the sign-digest and sign-key
options. The default is none.
sign-other
Specifies additional certificates to add to an OCSP request. The options are default.crt and ca-bundle.crt. The
default is none.
signer
Specifies the certificate used to sign an OCSP request. If the certificate is specified but the key is not specified,
then the private key is read from the same file as the certificate. If neither the certificate nor the key is
specified, then the request is not signed. If the certificate is not specified and the key is specified, then the
configuration is considered to be invalid. The default is none.
status-age
Species the amount of time (in seconds) to compare to the notBefore value of a status response. Use this option only
when a status response does not include the notAfter field. The default is 0 (zero).
trust-other
Specifies whether the BIG-IP system trusts the certificates specified using the verify-other option. The default is
false.
url Specifies the URL used to contact the OCSP service on the responder. This option is required. The default is none.
va-file
Specifies the name of the file containing explicitly-trusted responder certificates. Use this option when the
responder is not covered by the certificates already loaded into the responder's CA store. The default is none.
validity-period
Specifies an acceptable error range in seconds. Use this option when the OCSP responder clock and a client clock are
not synchronized, which could cause a certificate status check to fail. This value must be a positive number. This
option is required. The default is 300.
verify
Specifies whether verification of an OCSP response signature or the nonce values is enabled. Use this option only for
debugging purposes. The default is true.
verify-cert
Specifies whether the BIG-IP system verifies the certificate in the OCSP response. The default is true.
verify-other
Specifies the name of the file used to search for an OCSP response signing certificate when the certificate has been
omitted from the response. The default is none.
verify-sig
Specifies whether the BIG-IP system checks the signature on the OCSP response. Use this option only for testing
purposes. The default is true.
SEE ALSO
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2012. All rights reserved.
BIG-IP 2016-01-07 apm aaa ocsp(1)