APM CRL checking

As the references guide states, there are 3 options for revocation checking:

1. OCSP - this option takes the client certificate (issuer and serial number) and makes an OCSP request to a remote responder. It requires an OCSP AAA configuration and associated OCSP Auth agent in the policy VPE.

    

2. CRLDP - this option reads the CRLDP extension in the client certificate and attempts to retrieve the remote CRL. This also requires a AAA configuration and associated CRLDP auth in the policy VPE. Currently, the CRLDP auth agent only works with LDAP-accessible CRLDPs. There's an RFE to add HTTP support.

    

3. Local CRL - this is a PEM-formatted CRL embedded in the client SSL profile. The caution you're reading is intended for auto-generation of certificates, something that is rarely used. There are two significant caveats to using local CRLs:

    

a. They are size constrained - depending on your software and hardware versions as little as 4mb. b. They do not auto-update. CRLs usually have a pretty short shelf life, so you have to devise a way to get them updated. Here's a forum post that has some script examples for auto-updating CRLs. The formatting is messed up on the second script. I can edit it if you want to go this route.

https://devcentral.f5.com/questions/automaticlly-update-crl

Thank you!

I think i must use this script :(

But one question i have two nodes in failover, how they will synchronize crl between each other and will they sync this script ?

We have an active/passive cluster and run an automated script to update our CRL.

The short answer is that we found we needed to run the same script on both the active and the passive node separately.

A couple of points to note about this process: 1.) It is best to run the script on the passive node a few minutes after the active node rather than at the same time. We ran into issues with synching when we had the script running at the same time on each node if the passive ran a split second before the passive or vice versa.

2.) You will find that your nodes will show "Changes Pending" every time the script runs. I haven't found a way around that yet. As in I would like to be able to tell APM to ignore CRL file updates in the triggers to signify what a change is.

Thanks for help. Could you provide us your working script ?

That is no problem.. And once I figure out how to post it, I will do so. This forum errors out with an "undefined" every time I try and post the code.

Sorry, I couldn't figure out how to submit the code without the "undefined" errors.. So here is a screen grab of it (alas you will have to type it out). It could probably use a little more error checking etc., but it works. Note: Just replace the bits in the "<>" with whatever meets your environment:

Thank you. Its working.

And one more question, will it work if i'll use it under ssl client but with type- ignore user certificate, because in access policy i'm using On-demand auth. Or if not how to use crl with On-demand auth?

Nice work Nash.

To answer your last question, scorpa, the APM on-Demand Cert Auth agent will read the CRL from the client SSL profile, so you can definitely set the client SSL profile to "ignore".