F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

_JOHN_'s avatar
_JOHN_
Icon for Altocumulus rankAltocumulus
Aug 10, 2022

CRL Validator

From v15.1 onwards client SSL profiles support CRL validator objects as per this bug report: Bug ID 743758 (f5.com) I have no experience of CRL Validator.  I have just started to read about it, but...
application delivery
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 15, 2022

Just a few additional points, don't really want to belabor the OCSP topic.

  • OCSP will be faster in situations where there are large CRLs. An OCSP request is a tiny binary payload wrapped in a single HTTP request. The total transaction (req and rep) is usually less that 1K.
  • A local OCSP would need to know the remote CRLs it's managing so it can go get them and cache. That's no different than the CRL situation you have now. And since the responder knows what and where they are, it'll always have a copy (fresh or otherwise) of that CRL and can make a valid OCSP response.
  • My suggestion then, if local CRL validation is what you're aiming for, is to create a timed script that simply generates a query to the BIG-IP VIP and performs mTLS with a cert from each of the known issuers. This will force the BIG-IP to always have an up-to-date CRL in cache.