Forum Discussion

smiley_dba_1116's avatar
Icon for Nimbostratus rankNimbostratus
Sep 27, 2011


I need some info for using and F5 with CRL for client side cert checking. I've done this on a Juniper within the Trusted Client CA setup where I can use OCSP or use just CRL's. I just need to add the http path and CRL download frequency. I've looked at the F5 support and devcentral but have found nothing that talks about this. The support CRL put as a file on the F5 and/or OCSP only. Can the F5 be setup the same as a Juniper or can I use a iRule for this. What I really want is to use the CRLDP method. Can this actually happen, and if so, how?



Thanks, smiley


1 Reply

  • Hi Smiley,

    You are correct. By default the F5 just does a Revocation Status check (this check is a list of revoked SSL Certificates contained within a file on the local BigIP. I am sure that you could write a script to update this file, but that would be on the local system and possibly a cron job).

    By default you can set your Client SSL Profile to ignore, require, request, or automatically handle Client SSL Certificates and even control which CA's you will accept SSL Certificates from, but any additional functionality beyond that must be done in an iRule as you suspected.

    This is a simple example that compares the SSL Certificate Serial Number with a Data Group List to determine if the requesting client should be allowed access. You could use an alternate method if you like.

    if { [SSL::cert count] == 0 } {
    log local0. "No Certificate Provided"
    else {
    log local0. "Certificate 1:  [X509::serial_number [SSL::cert 0]]"
    log local0. "Certificate 2:  [X509::serial_number [SSL::cert 1]]"
    log local0. "Client Certificate Recieved - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
    if { [class match [X509::serial_number [SSL::cert 0]] equals ValidCertificates] } {
    log local0. "Client Accepted - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
    else {
    log local0. "Client Rejected -IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"

    As I said though, this is a SIMPLE example. You will need to loop through all SSL Certificates (this iRule does not do that because it was just a proof of concept) presented by the client and check all and based on what you find (whatever criteria you want to compare against) set a flag that you could use in the HTTP_REQUEST Event to route the traffic to the destination (or throw a 403 status, etc.).

    Hope this helps.