Bug ID 1064257: Bundled SSL certificates may not get revalidated successfully over OCSP after stapling parameters have been modified.

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
15.1.2,, 15.1.3,, 15.1.4,, 15.1.5,, 15.1.6,, 15.1.7, 15.1.8,,, 15.1.9,, 15.1.10,,,, 16.1.2,,, 16.1.3,,,,,, 16.1.4,,,

Opened: Nov 25, 2021

Severity: 3-Major


Bundled SSL certifcates fail to validate with an OCSP responder, and they are marked invalid in the GUI and tmsh.


Client SSL traffic may become disrupted if the affected certificates are used to process it.


1. One or more bundled certificates (containing intermediate certificates in addition to the subject one) are stored on the BIG-IP. 2. The certificates are configured for monitoring over OCSP. 2. The OCSP stapling parameter "Trusted Responders" is set to 'none'.


1. Do not use OCSP status monitoring on subject certificates. OR 2. Do not use bundled certificates. OR 3. Set the Trusted Responders OCSP stapling parameter to the certificate of the OCSP responder used by the certificates.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips