_JOHN_
Aug 10, 2022Altocumulus
CRL Validator
From v15.1 onwards client SSL profiles support CRL validator objects as per this bug report: Bug ID 743758 (f5.com) I have no experience of CRL Validator. I have just started to read about it, but...
I am also concerned about dynamic CRLs. Anyone knows how to clear cached CRL file? Let's assume BIG-IP cached the CRL with Next Update after one week. What if I, for any reason, need to start from scratch and make BIG-IP to fetch the CRL again? I have not found a way how to achieve this.
Kevin Stewart mentioned "You could always run a script to periodically issue a request that triggers a CRL download", but I am not sure how to do it. Even if I create a new CRL under cert-validator (/sys crypto cert-validator crl) and I use it in client-ssl profile, it uses previously cached CRL without tryint to fetch the CRL.
-----------------------------------
Sys::CRL: XXXXXXXXX
-----------------------------------
Total Fetches 0
Successful Fetches 0
New CRL Fetch Attempts 0
Cached CRL Updates 0
Internal Errors 0
Connection Errors
HTTP Errors 0
Timeouts 0
Other Failures 0
Validation Errors
Parsing Failures 0
Verification Errors 0
Validity Errors 0
Other Errors 0
Total Certificate Status Queries 2
Certificate Status
Good 2
Revoked 0
Unknown 0