APM CRL checking

As the references guide states, there are 3 options for revocation checking:

1. OCSP - this option takes the client certificate (issuer and serial number) and makes an OCSP request to a remote responder. It requires an OCSP AAA configuration and associated OCSP Auth agent in the policy VPE.

    

2. CRLDP - this option reads the CRLDP extension in the client certificate and attempts to retrieve the remote CRL. This also requires a AAA configuration and associated CRLDP auth in the policy VPE. Currently, the CRLDP auth agent only works with LDAP-accessible CRLDPs. There's an RFE to add HTTP support.

    

3. Local CRL - this is a PEM-formatted CRL embedded in the client SSL profile. The caution you're reading is intended for auto-generation of certificates, something that is rarely used. There are two significant caveats to using local CRLs:

    

a. They are size constrained - depending on your software and hardware versions as little as 4mb. b. They do not auto-update. CRLs usually have a pretty short shelf life, so you have to devise a way to get them updated. Here's a forum post that has some script examples for auto-updating CRLs. The formatting is messed up on the second script. I can edit it if you want to go this route.

https://devcentral.f5.com/questions/automaticlly-update-crl