Hi All, Is possible configure auto-update the CRL? I have BIG-IP v 11. From CA I have downloaded and imported the CRL file. In the Client SSL profile I have configured: Cert - required ... and CRL => imported file. So, how I can configure the aoutomatically update of the CRL file? Is it possible set from GUI, or CLI only? THX

Hi Petras, You could potentially script this, but there isn't a facility within BIG-IP to auto-update the CRL. If you want realtime checking of client certs you could use APM or the Advanced Client Auth module to do OCSP verification. Aaron

Hi Hoolio, thank you for answer. Do you have any idea how to script the download? The CA publish the CRL file only as http. ThX

F5's approach to this problem is poor. This problem must be widespread, but is never adequately addressed, either here in the forum nor on the support site or documentation. Once again, the need for CRL updates has come up for us. In addition to downloading the CRL, we also had the following issues: * The IP address of the CRL server cannot be known in advance (it apparently changes from time to time). We need to use DNS to locate it * We cannot download the file using the DNS name because the internet is not accessible through the default route domain. * The CRL as downloaded is in DER format, so we need to convert it to PEM per the LTM's requirement * Even when a new CRL is in place, the tmm does not read it, so we have to "touch" the config to force it to reload it. We are currently using the following shell script, run once a day from cron, to achieve this. Note that this uses the bigpipe utility, which will not work in v11. It also needs a bit more error checking. ------------------------------------------------------------------------ !/bin/sh cd /var/tmp delete the old temporary files rm demo.crl demo.pem get the current IP address of the CRL server CRLIP4=`dig demo.example.com A | grep '^demo.*[0-9]$' | awk '{print $5}'` convert it to the IPv6 route domain 5 address CRLIP6=`rdip $CRLIP4\%5` if [ $? -eq 0 ]; then download the CRL faking the host header because we're using an IP address in the request curl -v -O -H 'Host: demo.example.com' -g http://[$CRLIP6]/crl/demo.crl if [ -f demo.crl ]; then convert the CRL from DER to PEM openssl crl -inform der -in demo.crl -out demo.pem rm demo.crl mv demo.pem /config/ssl/ssl.crl/ set the administrative parition to update the config bigpipe shell write partition mypartition 'touch' the clientssl profile so tmm re-reads the crl bigpipe profile clientssl demo-clientssl crl file demo.pem fi fi ------------------------------------------------------------------------ The above script refers to a script "rdip", which we pinched from elsewhere on the forums. It converts an IPv4 address with the route domain number appended to the special IPv6 address. This is shown below: ------------------------------------------------------------------------ !/bin/bash F5_RD_HEADER="2620:0:c10:f501:0:" F5_RD_HEADER="2610:0:c10:f501:0:" HOST_ADDRESS=${1/\%*} ROUTE_DOMAIN=${1/*\%} if [ ! -z $ROUTE_DOMAIN ]; then host_parts=($(echo $HOST_ADDRESS | grep -Po "\d+")) printf "%s%x:%x:%x\n" $F5_RD_HEADER $ROUTE_DOMAIN $(((${host_parts[0]} << 8) + ${host_parts[1]})) $(((${host_parts[2]} << 8) + ${host_parts[3]})) exit 0 fi ------------------------------------------------------------------------ I hope this helps

Here is the manual section on validating certificate revocation status. This section covers CRLs, OCSP, and CRLDP. -George

Hi folks, Came across similar issue when a PKI I was working with did not support OCSP and the CRLDP setup would not work due to the CRLDP info in the cert being without a hostname i.e. ldap:///CN=... (http://support.f5.com/kb/en-us/solutions/public/12000/900/sol12975.html?sr=22851678) So only workaround was implementing a scripted download/update to CRL file, from an 11.1 box, so thought I'd add what I did here, basically modifying the above script to suit with a few extras. Note that if you save the script in /root/ then I am told the script won't be wiped out if you upgrade OS/apply hotfix etc. However, the crontab entry may be wiped out if you upgrade OS/apply hotfix I believe - havn't tested it. The script also has some additional error checking and emails out a notification if there's an error in curl getting the file. !/bin/sh NOTE: - Remember that you need to manually import a CRL file through the GUI with the same name as the one use by this script FIRST, otherwise the config 'touch' will fail. Load it through Local Traffic -> SSL Certificate List - Remember to make this script executable (chmod 700 or as applicable) and test it from CLI first - Add it to crontab (crontab -e), e.g. if you want to run it on the hour every hour add 0 * * * * /root/demo_crl.sh cd /root delete the old file if it exists if [ -f demo.crl]; then mv demo.crl demo.crl.old fi if [ $? -eq 0 ]; then Download CRL faking the host header because we're using an IP address in the request rdexec only available in v11.1 - runs a CLI command against a specific route domain see sol13472 Change to your route domain ID (you can omit rdexec entirely for Common route domain) Change or remove --ntlm -u : if you need AD credentials to download Enter the name and IP of your PKI server instead of and <1.2.3.4> rdexec curl -o demo.crl --ntlm -u : -H 'Host: ' -g http://<1.2.3.4>/certsrv/certcrl?Type=base&Renewal=0&Enc=bin wait if [ -f demo.crl ]; then convert the CRL from DER to PEM - ONLY IF NEEDED, my CRL was in PEM format already from above openssl crl -inform der -in demo.crl -out demo.pem rm demo.crl mv demo.pem demo.crl This is the v11 location and TMSH command to 'touch' the config Change to the relevant partition name (or Common) and to the relevant client ssl profile cat demo.crl > /config/filestore/files_d/_d/certificate_revocation_list_d/\:\:demo.crl_1 tmsh modify ltm profile client-ssl // crl-file //demo.crl else Email notify someone if this failed for any reason - need to setup mailhub in /etc/ssmtp/ssmtp.conf ref sol13180 mail -s "CRL retrieval failed" admin@example.com < /dev/null fi fi

Automaticlly update CRL

17 Replies

hoolio
Cirrostratus
Apr 23, 2012
Hi Petras,

You could potentially script this, but there isn't a facility within BIG-IP to auto-update the CRL. If you want realtime checking of client certs you could use APM or the Advanced Client Auth module to do OCSP verification.

Aaron
petras123_10972
Nimbostratus
Apr 27, 2012
Hi Hoolio,

thank you for answer. Do you have any idea how to script the download? The CA publish the CRL file only as http.

ThX
uni
Altocumulus
May 11, 2012
F5's approach to this problem is poor. This problem must be widespread, but is never adequately addressed, either here in the forum nor on the support site or documentation.

Once again, the need for CRL updates has come up for us. In addition to downloading the CRL, we also had the following issues:

* The IP address of the CRL server cannot be known in advance (it apparently changes from time to time). We need to use DNS to locate it

* We cannot download the file using the DNS name because the internet is not accessible through the default route domain.

* The CRL as downloaded is in DER format, so we need to convert it to PEM per the LTM's requirement

* Even when a new CRL is in place, the tmm does not read it, so we have to "touch" the config to force it to reload it.

We are currently using the following shell script, run once a day from cron, to achieve this. Note that this uses the bigpipe utility, which will not work in v11. It also needs a bit more error checking.

------------------------------------------------------------------------

!/bin/sh

cd /var/tmp

delete the old temporary files

rm demo.crl demo.pem

get the current IP address of the CRL server

CRLIP4=`dig demo.example.com A | grep '^demo.*[0-9]$' | awk '{print $5}'`

convert it to the IPv6 route domain 5 address

CRLIP6=`rdip $CRLIP4\%5`

if [ $? -eq 0 ]; then

download the CRL faking the host header because we're using an IP address in the request

curl -v -O -H 'Host: demo.example.com' -g http://[$CRLIP6]/crl/demo.crl

if [ -f demo.crl ]; then

convert the CRL from DER to PEM

openssl crl -inform der -in demo.crl -out demo.pem

rm demo.crl

mv demo.pem /config/ssl/ssl.crl/

set the administrative parition to update the config

bigpipe shell write partition mypartition

'touch' the clientssl profile so tmm re-reads the crl

bigpipe profile clientssl demo-clientssl crl file demo.pem

fi

fi

------------------------------------------------------------------------

The above script refers to a script "rdip", which we pinched from elsewhere on the forums. It converts an IPv4 address with the route domain number appended to the special IPv6 address.

This is shown below:

------------------------------------------------------------------------

!/bin/bash

F5_RD_HEADER="2620:0:c10:f501:0:"

F5_RD_HEADER="2610:0:c10:f501:0:"

HOST_ADDRESS=${1/\%*}

ROUTE_DOMAIN=${1/*\%}

if [ ! -z $ROUTE_DOMAIN ]; then

host_parts=($(echo $HOST_ADDRESS | grep -Po "\d+"))

printf "%s%x:%x:%x\n" $F5_RD_HEADER $ROUTE_DOMAIN $(((${host_parts[0]} << 8) + ${host_parts[1]})) $(((${host_parts[2]} << 8) + ${host_parts[3]}))

exit 0

fi

------------------------------------------------------------------------

I hope this helps
George_Watkins_
Historic F5 Account
May 11, 2012
Here is the manual section on validating certificate revocation status. This section covers CRLs, OCSP, and CRLDP.

-George
Evan
Nimbostratus
Jul 27, 2012
Hi folks,

Came across similar issue when a PKI I was working with did not support OCSP and the CRLDP setup would not work due to the CRLDP info in the cert being without a hostname i.e. ldap:///CN=... (http://support.f5.com/kb/en-us/solutions/public/12000/900/sol12975.html?sr=22851678)

So only workaround was implementing a scripted download/update to CRL file, from an 11.1 box, so thought I'd add what I did here, basically modifying the above script to suit with a few extras.

Note that if you save the script in /root/ then I am told the script won't be wiped out if you upgrade OS/apply hotfix etc. However, the crontab entry may be wiped out if you upgrade OS/apply hotfix I believe - havn't tested it. The script also has some additional error checking and emails out a notification if there's an error in curl getting the file.

~~!/bin/sh~~

~~NOTE:~~

~~- Remember that you need to manually import a CRL file through the GUI with the same name as the one use by this~~

~~script FIRST, otherwise the config 'touch' will fail. Load it through Local Traffic -> SSL Certificate List~~

~~- Remember to make this script executable (chmod 700 or as applicable) and test it from CLI first~~

~~- Add it to crontab (crontab -e), e.g. if you want to run it on the hour every hour add 0 * * * * /root/demo_crl.sh~~

~~cd /root~~

~~delete the old file if it exists~~

~~if [ -f demo.crl]; then~~

~~mv demo.crl demo.crl.old~~

fi

~~if [ $? -eq 0 ]; then~~

~~Download CRL faking the host header because we're using an IP address in the request~~

~~rdexec only available in v11.1 - runs a CLI command against a specific route domain see sol13472~~

~~Change to your route domain ID (you can omit rdexec entirely for Common route domain)~~

~~Change or remove --ntlm -u : if you need AD credentials to download~~

~~Enter the name and IP of your PKI server instead of and <1.2.3.4>~~

~~rdexec curl -o demo.crl --ntlm -u : -H 'Host: ' -g http://<1.2.3.4>/certsrv/certcrl?Type=base&Renewal=0&Enc=bin~~

~~wait~~

~~if [ -f demo.crl ]; then~~

~~convert the CRL from DER to PEM - ONLY IF NEEDED, my CRL was in PEM format already from above~~

~~openssl crl -inform der -in demo.crl -out demo.pem~~

~~rm demo.crl~~

~~mv demo.pem demo.crl~~

~~This is the v11 location and TMSH command to 'touch' the config~~

~~Change to the relevant partition name (or Common) and to the relevant client ssl profile~~

~~cat demo.crl > /config/filestore/files_d/_d/certificate_revocation_list_d/\:\:demo.crl_1~~

~~tmsh modify ltm profile client-ssl // crl-file //demo.crl~~

~~else~~

~~Email notify someone if this failed for any reason - need to setup mailhub in /etc/ssmtp/ssmtp.conf ref sol13180~~

~~mail -s "CRL retrieval failed" admin@example.com < /dev/null~~

fi

fi
uni
Altocumulus
Jul 27, 2012
Nice Evan. Very similar to my script once I converted to v11. One thing I would do differently is not overwrite the old crl when you download the new one, test if the new one exists, them rename it. That way if the download fails you still have the original crl.

I very much prefer the rdsh and rdexec commands over the old structured IPv6 addresses :)
uni
Altocumulus
Jul 27, 2012
Another suggestion. You can import the file using tmsh. This is the 11.1 syntax, it looks like it might be different for 11.2
tmsh modify /sys file ssl-crl democrl source-path file:/root/demo.crl
This moves the file into place and 'touches' the config.
lsv_53630
Nimbostratus
Apr 29, 2013
Another version. Note that this is only tested on 11.1.x and a F5 active/standby cluster.

REMOVED
lsv_53630
Nimbostratus
Apr 29, 2013
Removed post. Code contained error.

lsv_53630

Nimbostratus

Apr 29, 2013

Wth is wrong with this board? I can't even edit posts decently... Anyway, this is the correct bugfix:


!/bin/sh

 NOTE:
 - Remember that you need to manually import a CRL file through the GUI with
 the same name as the one use by this script FIRST, otherwise the config
 'touch' will fail. Load it through Local Traffic -> SSL Certificate List.

TMSH="/usr/bin/tmsh"
TMPFILE=`/bin/mktemp` || { echo "Failed to create temp file. Exiting"; exit 1; }

if [ -e "$TMSH" ]; then
    STATUS=`$TMSH show sys failover`
else
    echo "tmsh not found"
    exit 1
fi

case "$STATUS" in
    *active*)
        echo "Active F5: Continuing..."
        ;;
    *standby*)
        echo "Standby F5: Exiting."
        ;;
    *)
        echo "Unknown status: Exiting."
        exit 1
esac

/usr/bin/curl -f -o $TMPFILE -H 'Host: HOSTNAME' -g http://HOSTNAME/demo.crl

if [ $? -ne 0 ]; then
    echo "Error getting CRL file. Exiting."
    exit 1
fi

if [ -f $TMPFILE ] && [ -s $TMPFILE ]; then
     convert the CRL from DER to PEM - ONLY IF NEEDED, my CRL was in PEM
     format already from above
     openssl crl -inform der -in demo.crl -out demo.pem
     rm demo.crl
     mv demo.pem demo.crl
    $TMSH modify /sys file ssl-crl demo.crl source-path file:$TMPFILE
    if [ $? -eq 0 ]; then
        $TMSH run /cm config-sync to-group /Common/CLUSTERNAME
    else
        echo "crl upload fail. Exiting."
        /bin/rm $TMPFILE
        exit 1
    fi
else
    echo "No crl file found or crl file empty. Exiting."
    exit 1
fi

/bin/rm $TMPFILE

Forum Discussion

Automaticlly update CRL

17 Replies

F5 Academy at AppWorld 2026

Aswin MK - November 2025 Featured Member

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

CVE mitigation on F5 XC vs classic F5 WAF

Could not communicate with the system. Try to reload page.

F5 XC 503 upstream_reset_before_response_started{protocol_error}

UCS Encryption Question

BIG-IP VE: 40G Throughput from 4x10G physical NICs

Related Content

Re: F5 HTTPS Redirect iRule Update

iCall CRL update with Route Domains and Auto-Sync

Sample Linux script to update CRL file from Certificate Authority

Updating SSL Certificates on BIG-IP using REST API

Building an OpenSSL Certificate Authority - Configuring CRL and OCSP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS