Forum Discussion

Employee

Nov 09, 2012

Client Certs, CRL & OCSP

Hey All, Running 10.2.1. We are currently using a CRL based approach for client cert authentication. We are downloading multiple CRLs from different vendors and then combining them into on...

config

design

Kevin_Stewart

Employee

Nov 09, 2012

However, we have found that the LTM no longer supports combined CRLs.

I'm not sure that's correct. You should definitely be able to import multiple PEM-based CRLs into a single CRL object. I'd have to look at the release notes for the 10.2.4 HFs, but it absolutely works in v11.

With multiple CAs, I ultimately believe your best bet is a local OCSP resource. It's the most scalable and resilient option, and you can simply use Win2008 OCSP services (free). Better yet, if you point your OCSP responder configuration at another BIG-IP VIP, you can load balance and monitor multiple responders for increased HA and scale.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)