To get to the OCSP Configuration screen, in the main menu of the LoadMaster WUI, go to Certificates & Security > OCSP Configuration.

OCSP Server

The address of the OCSP server. This can either be in IP address or Fully Qualified Domain Name (FQDN) format.

OCSP Server Port

The port of the OCSP server.

OCSP URL

The URL to access on the OCSP server.

Use SSL

Select this to use SSL to connect to the OCSP server.

Allow Access on Server Failure

Treat an OCSP server connection failure or timeout as if the OCSP server had returned a valid response, that is, treat the client certificate as valid.

OCSP Checking

The Enable OCSP Checking UI control (and associated API) are all that is required in order to enable OCSP checking for outbound management connections that use certificate authentication (e.g., LDAP and remote logging).

  • If the OCSP Server/Port/URL options are not set, all OCSP checking depends on the OCSP server setting in the AIA information from the certificate to be validated and this information is optional. If this information is not present, or is invalid, no checking will be performed.

  • If the OCSP Server/Port/URL options are set, then any certificate that does not have an OCSP server set in the AIA section will be checked using the provided OCSP server details.

  • If both the certificate and the OCSP Server/Port/URL are set with the OCSP server address details, then only the information available in the certificate will be used to validate the certificate. If the details provided for OCSP server in the certificate is invalid, the OCSP checking will not switch to LoadMaster OCSP server settings to validate the certificate.

This behavior with respect to the OCSP Server/Port/URL settings also applies to OCSP checking of server certificate chains.

It should also be noted that OCSP checking for real server connections is not enabled by the above control. Real server OCSP certificate checks are enabled by the Force Real Server Certificate Checking option.

Enable OCSP Stapling

If the Enable OCSP Staplingcheck box is enabled, the LoadMaster verifies certificates for all external connections originated by the LoadMaster (except for re-encrypted connections to the Real Servers). Select this check box to enable the LoadMaster to respond to OCSP stapling requests. If a client connects using SSL and asks for an OCSP response, this is returned. Only Virtual Service certificates are validated. The system holds a cache of OCSP responses that are sent back to the client. This cache is maintained by the OCSP daemon. When the OCSP daemon sends a request to the server, it uses the name specified in the certificate (in the Authority Information Access field). If it cannot resolve this name, then it uses the default OCSP server specified in the OCSP Server text box.

OCSP Refresh Interval

Specify how often the LoadMaster should refresh the OCSP stapling information. The OCSP daemon caches the entry for up to the amount of time specified here, after which it is refreshed. Valid values range from 1 hour (default) to 24 hours.