Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Dynamic OCSP and CRLDP check for SSL Client Authentication

Dear,

I have a use case where a virtual server is configured with a client ssl profile and client authentication is enabled.

The client certificates can be signed by any CA in a bundle that is assigned to the profile as well.

We want to enable the revocation status check based on the information of the certificate, it can be either CRLDP or OCSP.

There are some configuration objects in "Local Traffic >> Profiles >> Authentication" but these profiles need static URLs for the CRLDP and OCSP.

I also read that this is based on the ACA module that has been deprecated.

So I would assume that the only solution would be the APM module, but I would like to get a clear answer if possible.

Thanks a lot.

Abdessamad

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

CRL checking can be done within the SSL profile but does not automatically update the CRL file which needs to be loaded on to the F5. However, I wrote an iCall script solution to this issue which also doesn't put devices within a none auto sync device group out of sync.

iCall CRL update with Route Domains and Auto-Sync

For OCSP checking, and doing it correctly, you need APM I do not know of another way to do this other than maybe with iRules LX but not look at it in enough detail to say for sure. So APM is your best option if you really want to use OCSP for revocation checking.

0