ltm auth ocsp-responder
ltm auth ocsp-responder(1) BIG-IP TMSH Manual ltm auth ocsp-responder(1)
NAME
ocsp-responder - Configures Online Certificate System Protocol (OCSP)
responder objects.
MODULE
ltm auth
SYNTAX
Configure the ocsp-responder component within the ltm auth module using
the syntax shown in the following sections.
CREATE/MODIFY
create ocsp-responder [name]
modify ocsp-responder [name]
options:
allow-certs [disabled | enabled]
app-service [[string] | none]
ca-file [ [file name] | none]
ca-path [ [file name] | none]
cert-id-digest [md5 | sha1]
chain [disabled | enabled]
check-certs [disabled | enabled]
description [string]
explicit [disabled | enabled]
ignore-aia [disabled | enabled]
intern [disabled | enabled]
nonce [disabled | enabled]
sign-digest [md5 | sha1]
sign-key [ [key] | none)
sign-key-pass-phrase [ [pass phrase] | none]
sign-other [ [list of certs] | none]
signer [ [certificate] | none]
status-age [integer]
trust-other [disabled | enabled]
url [none | [url] ]
va-file [ [file name] | none]
validity-period [integer]
verify [disabled | enabled]
verify-cert [disabled | enabled]
verify-other [ [file name] | none]
verify-sig [disabled | enabled]
edit ocsp-responder [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list ocsp-responder
list ocsp-responder [ [ [name] | [glob] | [regex] ] ... ]
show running-config ocsp-responder
show running-config ocsp-responder [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
DELETE
delete ocsp-responder [name]
DESCRIPTION
To implement the SSL OCSP authentication module, you must create the
following objects: one or more OCSP responder objects, an SSL OCSP
configuration object, and an SSL OCSP profile.
To implement an SSL OCSP authentication module and create an OCSP
responder object:
1. Use the ocsp-responder component in the ltm auth module to configure
an OCSP responder object.
2. Use the ssl-ocsp component in the ltm auth module to configure an
SSL OCSP configuration object to which you add the OCSP responder
object that you created in Step 1.
3. Use the profile component in the ltm auth module to create an
authentication profile in which you specify the following options:
a. For the configuration option, specify the SSL OCSP
configuration object that you created in Step 2.
b. For the defaults-from option, specify a parent profile (either
the default OCSP Responder profile named ssl_ocsp or another
custom profile that you created).
OPTIONS
allow-certs
Enables or disables the addition of certificates to an OCSP
request. The default value is enabled.
app-service
Specifies the name of the application service to which the OCSP
responder object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that
owns the object, you cannot modify or delete the OCSP responder
object. Only the application service can modify or delete the OCSP
responder object.
ca-file
Specifies the name of the file containing trusted CA certificates
used to verify the signature on the OCSP response. The default
value is none.
ca-path
Specifies the name of the path containing trusted CA certificates
used to verify the signature on the OCSP response. The default
value is none.
cert-id-digest
Specifies a specific algorithm identifier, either sha1 or md5. The
default value is sha1. The options are:
sha1 is newer and provides more security with a 160-bit hash
length.
md5 is older and has only a 128-bit hash length.
The cert ID is part of the OCSP protocol. The OCSP client (in this
case, the BIG-IP system) calculates the cert ID using a hash of
the Issuer and serial number for the certificate that it is trying
to verify.
chain
Specifies whether the system constructs a chain from certificates
in the OCSP response. The default value is enabled.
check-certs
Enables or disables verification of an OCSP response certificate.
Use this option for debugging purposes only. The default value is
enabled.
description
User defined description.
explicit
Specifies that the Local Traffic Manager explicitly trusts that
the OCSP response signer's certificate is authorized for OCSP
response signing. If the signer's certificate does not contain the
OCSP signing extension, specification of this option causes a
response to be untrusted. The default value is enabled.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
ignore-aia
Specifies whether the system ignores the URL contained in the
certificate's AIA fields, and always uses the URL specified by the
responder instead. The default value is disabled.
intern
Specifies whether the system ignores certificates contained in an
OCSP response when searching for the signer's certificate. To use
this option, the signer's certificate must be specified with
either the verify-other or va-file option. The default value is
enabled.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
nonce
Specifies whether the system verifies an OCSP response signature
or the nonce values. The default value is enabled.
partition
Displays the administrative partition within which the component
resides.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
sign-digest
Specifies the algorithm for signing the request, using the signing
certificate and key. This parameter has no meaning, if request
signing is not in effect (that is, both the request signing
certificate and request signing key parameters are empty). This
parameter is required only when request signing is in effect. The
default value is sha1.
sign-key
Specifies the key that the system uses to sign an OCSP request.
The default value is none.
sign-key-pass-phrase
Specifies the passphrase that the system uses to encrypt the sign
key. The default value is none.
sign-other
Adds a list of additional certificates to an OCSP request. The
default value is none.
signer
Specifies a certificate used to sign an OCSP request. If the
certificate is specified, but the key is not specified, then the
private key is read from the same file as the certificate. If
neither the certificate nor the key is specified, then the request
is not signed. If the certificate is not specified and the key is
specified, then the configuration is considered to be invalid. The
default value is none.
status-age
Specifies the age of the status of the OCSP responder. The default
value is 0 (zero).
trust-other
Instructs the BIG-IP local traffic management system to trust the
certificates specified with the verify-other option. The default
is value disabled.
url Specifies the URL used to contact the OCSP service on the
responder. This option is required. The default value is none.
va-file
Specifies the name of the file containing explicitly trusted
responder certificates. This parameter is needed in the event that
the responder is not covered by the certificates already loaded
into the responder's CA store. The default value is none.
validity period
Specifies the number of seconds used to specify an acceptable
error range. Use this option when the OCSP responder clock and a
client clock are not synchronized, which can cause a certificate
status check to fail. This value must be a positive number. The
default value is 300 seconds.
verify
Enables or disables verification of an OCSP response signature or
the nonce values. Used for debugging purposes only. The default
value is enabled.
verify-cert
Specifies that the system makes additional checks to see if the
signer's certificate is authorized to provide the necessary status
information. Use this option for testing purposes only. The
default value is enabled.
verify-other
Specifies the name of the file used to search for an OCSP response
signing certificate when the certificate has been omitted from the
response. The default value is none.
verify-sig
Specifies that the system checks the signature on the OCSP
response. Use this option for testing purposes only. The default
value is enabled.
SEE ALSO
create, delete, edit, glob, list, ltm auth profile, ltm auth ssl-
ocsp, ltm virtual, modify, regex, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2010, 2012. All rights
reserved.
BIG-IP 2012-10-19 ltm auth ocsp-responder(1)