For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

boneyard's avatar
boneyard
Icon for MVP rankMVP
Feb 28, 2013

CRL update script issue

I have been using a script to download a CRL from the Windows CA server, convert it and import it in the BIG-IP (version 11) via the tmsh modify command, this all works fine. the only issue with this...
config
design
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Mar 11, 2013
Well, to your original point, updating a flat CRL in an LTM client SSL profile will indeed be seen as a configuration change - as intended. The problem is really twofold:

 

 

1. Your flat file local CRLs expire on some semi-regular basic, requiring an update that throws the peers out of sync

 

2. Automatically syncing peers, without some oversight, is generally not a good thing

 

 

The root of the problem is that the object you need to update is system-dependent, which would apply to ANY object that you updated on one of the peers. The answer to this problem is really to avoid a system-dependent mechanism for certificate revocation. The Access Policy Manager module alleviates most of the pain of local CRL management with more robust certificate revocation mechanisms (OCSP and CRLDP) and is not system-dependent (aside from its static configuration).