_JOHN_
Aug 10, 2022Altocumulus
CRL Validator
From v15.1 onwards client SSL profiles support CRL validator objects as per this bug report: Bug ID 743758 (f5.com) I have no experience of CRL Validator. I have just started to read about it, but...
Hello together,
interesting topic so far also for me.
I found that that the dynamic CRL files seems to be cached really long. We have one dynamic CRL which got queried 6 times in about 6 month based on output of "tmsh show sys crypto cert-validator crl".
These dynamic CRLs seems to be saved under: "/config/filestore/crl_file_cache_d/"
Unfortunately, these are not in standard openssl x509 CRL format.
So I can't verify them with "openssl crl -in <crl-file-name> -noout -text". Result is currently:
"unable to load CRL
140058772170416:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:697:Expecting: X509 CRL"
We would also like to know, how to verify the content of the current loaded CRL for troubleshooting purpose. Also it is needed for us to have a way of forcing a re-download a CRL.
Regards