Forum Discussion

Abdessamad_851's avatar
Abdessamad_851
Icon for Nimbostratus rankNimbostratus
Dec 06, 2018

Dynamic OCSP and CRLDP check for SSL Client Authentication

Dear,

 

I have a use case where a virtual server is configured with a client ssl profile and client authentication is enabled.

 

The client certificates can be signed by any CA in a bundle that is assigned to the profile as well.

 

We want to enable the revocation status check based on the information of the certificate, it can be either CRLDP or OCSP.

 

There are some configuration objects in "Local Traffic >> Profiles >> Authentication" but these profiles need static URLs for the CRLDP and OCSP.

 

I also read that this is based on the ACA module that has been deprecated.

 

So I would assume that the only solution would be the APM module, but I would like to get a clear answer if possible.

 

Thanks a lot.

 

Abdessamad

 

APM
application delivery
client ssl profile
crldp
LTM
ocsp
security
ssl client authentication

1 Reply

Sort By
  • Andy_McGrath's avatar
    Andy_McGrath
    Icon for Cumulonimbus rankCumulonimbus
    Dec 06, 2018

    CRL checking can be done within the SSL profile but does not automatically update the CRL file which needs to be loaded on to the F5. However, I wrote an iCall script solution to this issue which also doesn't put devices within a none auto sync device group out of sync.

     

    iCall CRL update with Route Domains and Auto-Sync

     

    For OCSP checking, and doing it correctly, you need APM I do not know of another way to do this other than maybe with iRules LX but not look at it in enough detail to say for sure. So APM is your best option if you really want to use OCSP for revocation checking.