Hello,
For information, the CRLDP function does not currently support HTTP-based CRL fetching, only LDAP. The number indicates the support ID assigned to track the request.
So you have to use LDAP CRL URL and not HTTP-BASED CRL...
Check what is waiting by F5:
A client certificate issued by a Certificate Authority (CA) may contain CRLDP information in the following formats:
X.500 Directory Name
HTTP or FTP URI
LDAP URI
The following example is a snippet of the CRLDP information presented in LDAP URI format with a hostname:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap://win2k3-1.sglab.askf5.com/CN=win2k3-1,CN=win2k3-1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,
DC=sglab,DC=askf5,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
The following example is a snippet of the CRLDP information presented in LDAP URI format without a hostname:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap:///CN=win2k3-1,CN=win2k3-1,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=sglab,DC=askf5,
DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
https://support.f5.com/csp/article/K12975
For information, the enhancement for CRLDP in order to work with HTTP URLs is being tracked in ID325296 (https://devcentral.f5.com/questions/crldp-using-http-url-base-).
Regards,
Nimbostratus
