OCSP Stapling
The Online Certificate Status Protocol (OCSP) provides timely information regarding the revocation status of a certificate. The OCSP also enhances bandwidth management by removing the need for retrieving the revocation lists.
F5® Distributed Cloud Services provide centralized support for OCSP by using a component in F5 Distributed Cloud Global Controller (GC). The component requests the OCSP servers for the revocation status of the TLS certificate and sends the response to all Edge Sites and Network Sites and also enables local caching for it. The OCSP clients then requests the status and they obtain it from their nearest Edge or Network Sites. F5 Distributed Cloud also supports OCSP stapling and certificates with must-staple extension using the same mechanism.
The users need to obtain a CA-signed TLS certificate with OCSP must-staple extension and configure virtual host or the advertise policy with this certificate to enable OCSP stapling for their applications or services. For information on how to obtain the certificate and enable OCSP stapling, see Configuring OCSP Stapling guide.
Figure: F5 Distributed Cloud OCSP High-level View
OCSP Stapling
The OCSP stapling is supported generating a certificate from a Certificate Authority (CA) and use the CA in virtual host or advertise policy configuration.
Figure: OCSP Staple Work Flow
The following is the sequence of events for OCSP stapling for TLS certificates:
- User obtains a CA-signed OCSP certificate and configures virtual host or advertise policy with the certificate and key.
- The GC component checks the certificate and determines the OCSP server.
- The GC component sends certificate status request (Get OSCP) to the OCSP servers and obtains the response.
- The GC component then sends the response for local caching and also to all RE Sites and CE Sites.
- The clients such as browsers send HTTPS requests and their nearest RE or CE returns the certificate.
- The clients accept the certificate.
OCSP Stapling with Must-Staple Extension
The must-staple extension enforces the clients to accept only certificates with the must-staple extension, enhancing security apart from reducing latency and improving bandwidth management.
To enable OCSP stapling with this extension, it is required to obtain a CA-signed TLS certificate with a OCSP must-staple extension and use it in the virtual host or advertise policy configuration.
Figure: OCSP Must-Staple Work Flow
The following is the sequence of events for OCSP stapling for TLS certificates with must-staple extension:
- User obtains a CA-signed OCSP certificate with must-staple extension and configures virtual host or advertise policy with the certificate and key.
- The GC component checks the certificate and determines the OCSP server.
- The GC component sends certificate status request (Get OSCP) to the OCSP servers and obtains the response.
- The GC component then sends the response for local caching and also to all RE Sites and CE Sites.
- The clients such as browsers send HTTPS requests and their nearest RE or CE returns the certificate only if the response contains the must-staple extension.
- The clients accept the certificate.