Bug ID 784713: When SSL forward proxy is enabled, AKID extension of the OCSP signer certificate on the clientside is not correct

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2, 15.0.0, 15.0.1,,,,

Fixed In:

Opened: May 21, 2019

Severity: 3-Major


When SSL forward proxy is configured, or for SSLO, if OCSP or CRL is set on the serverside, the certificate that signs the OCSP response on the clientside does not have the correct Authority Key Identifier (AKID).


Incorrect AKID X509 extension for the OCSP signer certificate on the clientside. Depending on browsers/clients, this may result in the browsers/clients to not be able to use the stapled OCSP response.


Configure SSL forward proxy or enable SSLO and enable OCSP or CRL on serverside/server SSL profiles.



Fix Information

After the fix, the OCSP signer certificate has the correct AKID X509 extension.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips