apm aaa ocsp
apm aaa ocsp(1) BIG-IP TMSH Manual apm aaa ocsp(1)
NAME
ocsp - Configure Online Certificate System Protocol (OCSP) responder objects.
MODULE
apm aaa
SYNTAX
Configure the ocsp component within the aaa module using the syntax shown in the following sections.
CREATE/MODIFY
create ocsp [name]
modify ocsp [name]
options:
allow-certs [true | false]
app-service [[string] | none]
ca-file ( | none)
ca-path ( | none)
cert-id-digest (sha1 | md5)
chain [true | false]
check-certs [true | false]
explicit-ocsp [true | false]
ignore-aia [true | false]
intern [true | false]
location-specific [true | false]
nonce [true | false]
sign-digest (sha1 | md5)
sign-key ( | none)
sign-key-passphrase ( | none)
sign-other ( | none)
signer ( | none)
status-age
trust-other [true | false]
url ( | none)
va-file ( | none)
validity-period
verify [true | false]
verify-cert [true | false]
verify-other ( | none)
verify-sig [true | false]
edit ocsp | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list ocsp
list ocsp [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
app-service
non-default-properties
one-line
partition
DELETE
delete ocsp [name]
DESCRIPTION
To implement the SSL OCSP authentication module, create an OCSP responder object and assign it to the OCSP
auth agent in your access policy.
OPTIONS
allow-certs
Specifies whether the addition of certificates to an OCSP request is enabled. The default is true.
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
ca-file
Specifies the name of the certificate file object containing trusted CA certificates used to verify the
signature on the OCSP response. The default is none.
ca-path
Specifies the path to the trusted CA certificates used to verify the signature on the OCSP response. The
default is none.
cert-id-digest
The cert ID digest is part of the OCSP protocol. The OCSP client (in this case, the BIG-IP system)
calculates the cert ID using a hash of the Issuer and serial number for the certificate that it is trying
to verify. The options are:
sha1 Newer algorithm that provides a higher security level with a 160 bit hash length. This is the
default.
md5 Older algorithm with a 128 bit hash length.
chain
Specifies whether the system constructs a chain from certificates in the OCSP response. The default is
true.
check-certs
Specifies whether the LTM system makes additional checks to see if the signer's certificate is authorized
to provide the necessary status information. Use this option only for testing purposes. The default is
true.
explicit-ocsp
Specifies whether the BIG-IP system explicitly trusts that the OCSP response signer's certificate is
authorized for OCSP response signing. If the signer's certificate does not contain the OCSP signing
extension, setting this option to true causes a response to be untrusted. The default is true.
ignore-aia
Specifies whether to ignore the URL contained in the certificate's AIA fields, and to always use the URL
specified by the responder instead. The default is false.
intern
Specifies whether to ignore certificates contained in an OCSP response when searching for the signer's
certificate. When you set this option to true, you must also specify the signer's certificate using
either the verify-other or va-file option. The default is true.
location-specific
Specifies whether or not this object contains one or more attributes with values that are specific to the
location where the BIG-IP device resides. The location-specific attribute is either true or false. When
using policy sync, mark an object as location-specific to prevent errors that can occur when policies
reference objects, such as authentication servers, that are specific to a certain location.
[name]
Specifies a unique name for the component. This option is required.
nonce
Specifies whether a nonce will be sent in an OCSP request. When set to false, the request is sent without
a nonce. The default is true.
partition
Displays the partition within which the OCSP responder object resides.
sign-digest
Specifies the algorithm (md5 or sha1> used to sign a request using a signing certificate and key. The
default is sha1. If you use this option, you must also set the sign-key and sign-key-passphrase options.
sign-key
Specifies the key used to sign an OCSP request. If you use this option, you must also set the sign-digest
and sign-key-passphrase options. The default is none.
sign-key-passphrase
Specifies the passphrase for the signing key. If you use this option, you must also set the sign-digest
and sign-key options. The default is none.
sign-other
Specifies additional certificates to add to an OCSP request. The options are default.crt and
ca-bundle.crt. The default is none.
signer
Specifies the certificate used to sign an OCSP request. If the certificate is specified but the key is
not specified, then the private key is read from the same file as the certificate. If neither the
certificate nor the key is specified, then the request is not signed. If the certificate is not specified
and the key is specified, then the configuration is considered to be invalid. The default is none.
status-age
Species the amount of time (in seconds) to compare to the notBefore value of a status response. Use this
option only when a status response does not include the notAfter field. The default is 0 (zero).
trust-other
Specifies whether the BIG-IP system trusts the certificates specified using the verify-other option. The
default is false.
url Specifies the URL used to contact the OCSP service on the responder. This option is required. The default
is none.
va-file
Specifies the name of the file containing explicitly-trusted responder certificates. Use this option when
the responder is not covered by the certificates already loaded into the responder's CA store. The
default is none.
validity-period
Specifies an acceptable error range in seconds. Use this option when the OCSP responder clock and a
client clock are not synchronized, which could cause a certificate status check to fail. This value must
be a positive number. This option is required. The default is 300.
verify
Specifies whether verification of an OCSP response signature or the nonce values is enabled. Use this
option only for debugging purposes. The default is true.
verify-cert
Specifies whether the BIG-IP system verifies the certificate in the OCSP response. The default is true.
verify-other
Specifies the name of the file used to search for an OCSP response signing certificate when the
certificate has been omitted from the response. The default is none.
verify-sig
Specifies whether the BIG-IP system checks the signature on the OCSP response. Use this option only for
testing purposes. The default is true.
SEE ALSO
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2012. All rights reserved.
BIG-IP 2016-01-07 apm aaa ocsp(1)