Forum Discussion

Employee

Nov 09, 2012

Client Certs, CRL & OCSP

Hey All, Running 10.2.1. We are currently using a CRL based approach for client cert authentication. We are downloading multiple CRLs from different vendors and then combining them into on...

config

design

Kevin_Stewart

Employee

Nov 09, 2012

However, we have found that the LTM no longer supports combined CRLs.

I'm not sure that's correct. You should definitely be able to import multiple PEM-based CRLs into a single CRL object. I'd have to look at the release notes for the 10.2.4 HFs, but it absolutely works in v11.

With multiple CAs, I ultimately believe your best bet is a local OCSP resource. It's the most scalable and resilient option, and you can simply use Win2008 OCSP services (free). Better yet, if you point your OCSP responder configuration at another BIG-IP VIP, you can load balance and monitor multiple responders for increased HA and scale.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Client Certs, CRL & OCSP

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Checking for X-Forwarded-For against an Address Data-Group

SSL Bridging and FQDN rewrite Policy

Cisco TACACS+ Config on ISE LTM Pair

iRule causing requests to be duplicated (sometimes)

How can I get started with iCall

Related Content

Client Cert Request by URI with OCSP Checking

Selective Client Cert Authentication

Configuring OCSP Stapling on BIG-IP

Building an OpenSSL Certificate Authority - Configuring CRL and OCSP

Request client cert auth based on URL

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS