Check for server certificate revocation

Question

HI&nbsp;We are planning to upgrade BIG-IP 13.x to 14.x, but if we upgrade to 14.x, users will ge popup of "Revocation information for the secuirty certificate for theis site is not available. Do you want to proceed?"From F5 support, we got advince that if Internet option "Check for server certificate revocation" is disabled, the popup can be avoided. It surely can be avoided with it, but many of our user uses unmanaged hardened device and users cannot change internet option settings.&nbsp;On the VS, private server certificate is used. All deivces has corresponding client certificate. We import CRL from private CA every half hour by using follwoing command line on BIG-IP.tmsh modify /sys file ssl-crl [CRL name] source-path [URL for CRL]I guess that the popup is shown because it is private certificates. THe popup can be avoided by some setting on BIG-IP side?

f5_design_engineer · Answer

For DYNAMIC CRL
================
if you want to use external proxy server for forwarding the CRL request to the CRL server.
1. Crate DNS Resolver (Network--&gt;DNS Resolvers--&gt;DNS Resolver List--&gt;Create)
2. Open DNS Resolver created in step 1, go to "Forward Zones" tab and add appropriate zones with DNS servers.
3. Create an internal proxy (GUI--&gt;System--&gt;Services--&gt;Internal Proxies--&gt;Create)
Assign DNS Resolver created in step 1 (no external proxy) or enable "Use Proxy Server" and specify LTM pool with proxy server (external proxy server).
4. Create Traffic Certificate Management CRL object (GUI--&gt;System--&gt;Certificate Management --&gt; Traffic Certificate Management --&gt; CRL)
Assign internal proxy created in step 3.
5. Assign CRL object created in step 5 to Client SSL profile with client authentication enabled:
Open GUI--&gt;Local Traffic--&gt;Profiles--&gt;SSL--&gt;Client--&gt;profile_name
Go to Client Authentication section and set:
Client Certificate to request/require this will enable client authentication
Trusted Certificate Authorities to CA that you want to trust
CRL to object created in step 2.
&nbsp;
Include root certificates to Advertised and Trusted bundle
From v15.1 onwards client SSL profiles support CRL validator objects as per this bug report:
Bug ID 743758 (f5.com)
In F5 in the client SSL profiles , please search for the following setting:
&nbsp;

Notify Certificate Status to Virtual Server
Introduced in BIG-IP 13.0.0, this option specifies whether to propagate the status of the certificates associated with this client SSL profile to the virtual servers that are using this client SSL profile. Disabled by default.
Note: This option is used to communicate SSL certificate revocation status to the virtual server. This is typically implemented in conjunction with an OCSP stapling configuration.
This option is disabled by default.
&nbsp;
You have to enable it on your CLIENT SSL profile by checking the option button
&nbsp;
&nbsp;
For that you have to import the CRL list and then apply that to the CRL option in the CLIET SSL profile
&nbsp;
&nbsp;
&nbsp;
For STATIC CRL
===============
Having a CRL loaded as a local file into the BIGIP is probably the easiest way to get it to check a CRL since you are avoiding the use of MS Enterprise/Datacenter Servers with OCSP. I also had various issues that the F5 tech support could not explain with CRLDP and MS cert services. So the CRL is an easy fix for a lab environment. I also could not find the proper method to do this in the online knowledge-base for F5’s product either.
For starters, you need to get a copy of the CRL from your MS Certificate Server.Download CRL1) Browse to http://SERVERNAME/CertSrv Sign in if needed.2) Click on Download a CA certificate, certificate chain, or CRL.3) Select DER format and click on Download Latest Base CRL4) Save the file to your machine.
Load the CRL to the BIGIP1) Open up your BIGIP Admin Gui2) Navigate to Sytem -&gt; File Management -&gt; SSL Certificate List -&gt; Import3) From the Import Type PullDown, Select ‘Certificate Revocation List’4) Enter in the Name you want use when referencing this File in BIGIP. Select Create New or Overwrite as needed.5) Use the Browse Button to select the cert file called ‘certcrl.crl’6) Click Import to finish the Process.
&nbsp;
&nbsp;
&nbsp;
Now that the CRL is imported, it can be used in any SSL Client Profile in the Certificate Revocation List (CRL) Dropdown.
This CRL is static. Any newly revoked certs on the MS Server will, of course, not be seen by the F5 until the CRL file&nbsp;
https://my.f5.com/manage/s/article/K14783
HTH
🙏
&nbsp;

&nbsp;
HTH
🙏

Forum Discussion

Check for server certificate revocation

1 Reply

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

IPv8 Would Fix My Routing Tables. It Will Never Ship.

Recent Discussions

Errors with AS3 3.56.0 with F5 17.5.1.6

F5 ASM/AWAF – violations logged but no learning suggestions generated

F5 VELOS Backplane Inter-Tenants Communication

migrate from serie I to R. Cluster LTM-GTM

Best Practice guide for enabling Attack signature In BIG-IP ASM

Related Content

Automating Certificate Management on F5 BIG-IP

Validate Certificate Common Name and Revocation Status

Certificate Automation for BIG-IP using CyberArk Certificate Manager, Self-Hosted

Disable certificate revocation checking

Automating ACMEv2 Certificate Management on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS