Forum Discussion

vandenhoutenp_9's avatar
vandenhoutenp_9
Icon for Nimbostratus rankNimbostratus
May 10, 2014

Machine Certificate Revocation Checks

Hi guys,

 

Just a quick one. Can you use a CRLDP AAA server to validate machine certificates? As far as I can see this can only be done using an OCSP responder but I just wanted to confirm.

 

Thanks

 

Peter

 

2 Replies

  • Thanks Kevin. The solution works like a charm.

     

    Is it possible to have CRLDP auth if OCSP is not available?

     

  • Hi,

     

    This solution looks to be working in my case, up to the point where I want to check the machine certificate against CRL list with CRLDP check - server connection: no server, so direct HTTP access.

     

    It sometimes fetches the new CRL, sometimes not - based on TCPDUMP and firewall logs.

     

    I was thinking about CRL cache. So I modified the attributes of the CRLDP server:

     

    Cache Timeout: 10 seconds

     

    Update Interval: 5 seconds

     

    I did this just to be sure that while I am testing this policy, F5 fetched fresh CRL every time I reach the policy.

     

    Scenario: machine certificate was added to CRL list, CRLDP correctly denied access. Then the certificate was removed from CRL list, and since then CRLDP still keeps denying access. It looks like it's using cached copy of the CRL, although I configured the CRLDP to update CRL every 5 seconds.

     

    Anybody faced this issue too?