Forum Discussion
chris100_263517
Nimbostratus
NimbostratusAPM CRLDP
Hello,
I'm configuring APM CRLDP for HTTP CRL retrieval and have a few questions about it. When you select pool or direct the base DN field must be populated. Does this mean that HTTP method is ...
Hello,
When you specify a destination, it's for ldap only. In latest versions you have a third option. When checked APM will look in the crldp field of your certificate
Yann_Desmarest
Cirrus
CirrusHello,
When you specify a destination, it's for ldap only. In latest versions you have a third option. When checked APM will look in the crldp field of your certificate
- Yann_DesmarestOf course, if the crldp field in your cert is invalid or non existent. You have a problem. To workaround this, you can define a crl in the clientssl profile and update it using cron and tmsh
chris100_263517if I understand - for HTTP CRL you must use cert CRL field when using CRLDP- Yann_DesmarestYou should use an CRLDP AAA object and select the option No Server. This way, the bigip APM will use the crldp field in the client certificate. You have to add a CRLDP block in your VPE
- Yann_DesmarestIf there is no crldp fields in the client cert, you can configure the Certificate Revocation List option in the Client Authentication settings within your clientssl profile. No need to add a CRLDP block in you VPE, a Client Certificate Inspection is enough
- Yann_DesmarestAnd to update your crl, you can use a cron job in cli. Here the tmsh command to update your crl : modify sys file ssl-crl mycrl.file source-path http://mycrldpuri/MyCA.crl
- chris100_263517thank you for the helpful information