Forum Discussion
OCSP is actually performed via an OCSP Auth agent in the visual policy and corresponding OCSP AAA configuration. The agent assumes that client cert data is being sent to it via an APM session variable, session.ssl.cert.whole if I remember correctly. There are generally two ways to make that happen. You can specify request or require in the client authentication section of the client SSL profile, or you can use an On-Demand Certificate auth agent in the VPE before the OCSP agent. The client SSL profile is still needed for both options to enforce client side SSL characteristics (ciphers, trust chains, server certs/keys, etc.). The On-Demand cert auth agent simply flips the client auth option from ignore to request or require and initiates an SSL renegotiation to get the client cert.