CRL & OCSP validtion of client certificates from X509 fields

I have requirement to create a Client certificate authenticated VIP with revocation checks.

The problem is that the client certificate presented can be issued from one of about 100 different CAs.

There is an XML feed which provides me all of the valid CA certificates and I already have a solution to get these into a certificate bundle on the F5, so that's not a problem.

I also have an iRule to check the certificate fingerprint against a whitelist, again this works great.

However, I am required to check for certificate revocation. Each certificate will have either (or both) a CRL distribution point or an OCSP responder listed in its X509 fields.

Is there anyway I can get the 5 to automatically check for certificate revocation against these fields without having to manually import all of the CRL lists and/or setup all the OCSP responders manually?

Or failing that, is the a (simplish) way for the F5 to scan the CA bundle and automatically download all the CRL files and concatenate them.

Forum Discussion

CRL & OCSP validtion of client certificates from X509 fields

Recent Discussions

Which process is consuming higher CPU

F5 Health Monitor Receive String as JSON

Background Tasks

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

Slack Mutual TLS Recipe: Adding X-Client-Certificate-SAN header from client certificate

Re: Management Certificate

ASM vs to APM vs and client certificates

Client ssl certification bulk installation

Certifications for security professionals

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS