Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Machine Cert Auth and CRLDP issue

Hello!

I´m having a issue with CRLDP checking for clients that are connecting with the F5 Edge client. The edge client passes every VPE box but it fails when it comes to the "CRLDP Auth". The error message in the APM log are: CRLDP Auth agent: Failure status 'No CRL distribution point found in the certificate'

I´ve verified that the Machine Cert has a CRL field in the certificate. URL=http://crl.xyz.se/ROOT-CA.crl

I´m using the "No Server" option in the CRLDP configuration.

Thanks in advance.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hello,

For information, the CRLDP function does not currently support HTTP-based CRL fetching, only LDAP. The number indicates the support ID assigned to track the request.

So you have to use LDAP CRL URL and not HTTP-BASED CRL...

Check what is waiting by F5:

A client certificate issued by a Certificate Authority (CA) may contain CRLDP information in the following formats:

X.500 Directory Name
HTTP or FTP URI
LDAP URI
The following example is a snippet of the CRLDP information presented in LDAP URI format with a hostname:

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=ldap://win2k3-1.sglab.askf5.com/CN=win2k3-1,CN=win2k3-1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,
DC=sglab,DC=askf5,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

The following example is a snippet of the CRLDP information presented in LDAP URI format without a hostname:

[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=ldap:///CN=win2k3-1,CN=win2k3-1,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=sglab,DC=askf5,
DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

https://support.f5.com/csp/article/K12975

For information, the enhancement for CRLDP in order to work with HTTP URLs is being tracked in ID325296 (https://devcentral.f5.com/questions/crldp-using-http-url-base-).

Regards,

0
Comments on this Answer
Comment made 12-Apr-2018 by iaine 819

Support ID 325296 got addressed in 11.4 HF6. Have you seen this post by Yann who details some config steps for this -

0
Comment made 12-Apr-2018 by youssef 3598

Hello Iaine,

Yes this is the method that I usually use. however, I changed this method, I use Icall/handler instead script because script and cront will be lost afer an upgrade.

Additional crl check specified by yann is for SSL client auth (so you don't need CRLDP object, just add crl in client ssl). maybe Squeak use cert machine auth, this method is not applicable!!!

In all case if you are interesting by my Icall your or squeak keep me in touch.

Regards

0
Comment made 17-Apr-2018 by Squeak 77

Hello!

@youssef Thank you for your response. So,just to be clear, http-based CRLDP don´t work if I´m using machine Cert auth?

0