ltm auth ocsp-responder
ltm auth ocsp-responder(1) BIG-IP TMSH Manual ltm auth ocsp-responder(1)
NAME
ocsp-responder - Configures Online Certificate System Protocol (OCSP) responder objects.
MODULE
ltm auth
SYNTAX
Configure the ocsp-responder component within the ltm auth module using the syntax shown in the following
sections.
CREATE/MODIFY
create ocsp-responder [name]
modify ocsp-responder [name]
options:
allow-certs [disabled | enabled]
app-service [[string] | none]
ca-file [ [file name] | none]
ca-path [ [file name] | none]
cert-id-digest [md5 | sha1]
chain [disabled | enabled]
check-certs [disabled | enabled]
description [string]
explicit [disabled | enabled]
ignore-aia [disabled | enabled]
intern [disabled | enabled]
nonce [disabled | enabled]
sign-digest [md5 | sha1]
sign-key [ [key] | none)
sign-key-pass-phrase [ [pass phrase] | none]
sign-other [ [list of certs] | none]
signer [ [certificate] | none]
status-age [integer]
trust-other [disabled | enabled]
url [none | [url] ]
va-file [ [file name] | none]
validity-period [integer]
verify [disabled | enabled]
verify-cert [disabled | enabled]
verify-other [ [file name] | none]
verify-sig [disabled | enabled]
edit ocsp-responder [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list ocsp-responder
list ocsp-responder [ [ [name] | [glob] | [regex] ] ... ]
show running-config ocsp-responder
show running-config ocsp-responder [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
DELETE
delete ocsp-responder [name]
DESCRIPTION
To implement the SSL OCSP authentication module, you must create the following objects: one or more OCSP
responder objects, an SSL OCSP configuration object, and an SSL OCSP profile.
To implement an SSL OCSP authentication module and create an OCSP responder object:
1. Use the ocsp-responder component in the ltm auth module to configure an OCSP responder object.
2. Use the ssl-ocsp component in the ltm auth module to configure an SSL OCSP configuration object to which
you add the OCSP responder object that you created in Step 1.
3. Use the profile component in the ltm auth module to create an authentication profile in which you specify
the following options:
a. For the configuration option, specify the SSL OCSP configuration object that you created in Step 2.
b. For the defaults-from option, specify a parent profile (either the default OCSP Responder profile
named ssl_ocsp or another custom profile that you created).
OPTIONS
allow-certs
Enables or disables the addition of certificates to an OCSP request. The default value is enabled.
app-service
Specifies the name of the application service to which the OCSP responder object belongs. The default
value is none. Note: If the strict-updates option is enabled on the application service that owns the
object, you cannot modify or delete the OCSP responder object. Only the application service can modify or
delete the OCSP responder object.
ca-file
Specifies the name of the file containing trusted CA certificates used to verify the signature on the
OCSP response. The default value is none.
ca-path
Specifies the name of the path containing trusted CA certificates used to verify the signature on the
OCSP response. The default value is none.
cert-id-digest
Specifies a specific algorithm identifier, either sha1 or md5. The default value is sha1. The options
are:
sha1 is newer and provides more security with a 160-bit hash length.
md5 is older and has only a 128-bit hash length.
The cert ID is part of the OCSP protocol. The OCSP client (in this case, the BIG-IP system) calculates
the cert ID using a hash of the Issuer and serial number for the certificate that it is trying to verify.
chain
Specifies whether the system constructs a chain from certificates in the OCSP response. The default value
is enabled.
check-certs
Enables or disables verification of an OCSP response certificate. Use this option for debugging purposes
only. The default value is enabled.
description
User defined description.
explicit
Specifies that the Local Traffic Manager explicitly trusts that the OCSP response signer's certificate is
authorized for OCSP response signing. If the signer's certificate does not contain the OCSP signing
extension, specification of this option causes a response to be untrusted. The default value is enabled.
glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.
ignore-aia
Specifies whether the system ignores the URL contained in the certificate's AIA fields, and always uses
the URL specified by the responder instead. The default value is disabled.
intern
Specifies whether the system ignores certificates contained in an OCSP response when searching for the
signer's certificate. To use this option, the signer's certificate must be specified with either the
verify-other or va-file option. The default value is enabled.
name Specifies a unique name for the component. This option is required for the commands create, delete, and
modify.
nonce
Specifies whether the system verifies an OCSP response signature or the nonce values. The default value
is enabled.
partition
Displays the administrative partition within which the component resides.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at
sign (@[regular expression]) to indicate that the identifier is a regular expression. See help regex for
a description of regular expression syntax.
sign-digest
Specifies the algorithm for signing the request, using the signing certificate and key. This parameter
has no meaning, if request signing is not in effect (that is, both the request signing certificate and
request signing key parameters are empty). This parameter is required only when request signing is in
effect. The default value is sha1.
sign-key
Specifies the key that the system uses to sign an OCSP request. The default value is none.
sign-key-pass-phrase
Specifies the passphrase that the system uses to encrypt the sign key. The default value is none.
sign-other
Adds a list of additional certificates to an OCSP request. The default value is none.
signer
Specifies a certificate used to sign an OCSP request. If the certificate is specified, but the key is not
specified, then the private key is read from the same file as the certificate. If neither the certificate
nor the key is specified, then the request is not signed. If the certificate is not specified and the key
is specified, then the configuration is considered to be invalid. The default value is none.
status-age
Specifies the age of the status of the OCSP responder. The default value is 0 (zero).
trust-other
Instructs the BIG-IP local traffic management system to trust the certificates specified with the verify-
other option. The default is value disabled.
url Specifies the URL used to contact the OCSP service on the responder. This option is required. The default
value is none.
va-file
Specifies the name of the file containing explicitly trusted responder certificates. This parameter is
needed in the event that the responder is not covered by the certificates already loaded into the
responder's CA store. The default value is none.
validity period
Specifies the number of seconds used to specify an acceptable error range. Use this option when the OCSP
responder clock and a client clock are not synchronized, which can cause a certificate status check to
fail. This value must be a positive number. The default value is 300 seconds.
verify
Enables or disables verification of an OCSP response signature or the nonce values. Used for debugging
purposes only. The default value is enabled.
verify-cert
Specifies that the system makes additional checks to see if the signer's certificate is authorized to
provide the necessary status information. Use this option for testing purposes only. The default value is
enabled.
verify-other
Specifies the name of the file used to search for an OCSP response signing certificate when the
certificate has been omitted from the response. The default value is none.
verify-sig
Specifies that the system checks the signature on the OCSP response. Use this option for testing purposes
only. The default value is enabled.
SEE ALSO
create, delete, edit, glob, list, ltm auth profile, ltm auth ssl-ocsp, ltm virtual, modify, regex, show,
tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2010, 2012. All rights reserved.
BIG-IP 2012-10-19 ltm auth ocsp-responder(1)