For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hille_de_Graaf_'s avatar
Hille_de_Graaf_
Icon for Nimbostratus rankNimbostratus
Apr 13, 2010

CRL verification in Irule

Hi,     Is it possible to verify a SSL CRL (Certificate Revocation List) within an iRule?     The reason why is, that we have two different CA Issuers (from de same PKI company) with two...
application delivery
dev
devops
iRules
Hille_de_Graaf_'s avatar
Hille_de_Graaf_
Icon for Nimbostratus rankNimbostratus
Apr 14, 2010
Hi Aaron,

 

 

We are not using the advanced client auth license. Also the provider doesn't support OCSP.

 

We also opent a case by F5 and they replied with the following

 

 

-------------------------------------------------------------------------------------------------------

 

Creating an aggregate CRL file

 

If you need to revoke certificates from more than one CA, you can create an aggregate CRL file simply by concatenating the CRL files from each CA.

 

For example, if you have a CRL file generated by a commercial CA, commercial_crl.pem, and another CRL file generated by a home-grown OpenSSL CA, openssl_crl.pem, you can combine these into a single CRL file as follows:

 

Windows:

 

copy commercial_crl.pem + openssl_crl.pem crl.pem

 

UNIX:

 

cat commercial_crl.pem openssl_crl.pem > crl.pem

 

-------------------------------------------------------------------------------------------------------

 

 

I concatenated the two CRL files to one aggregated file and loaded it into the SSL client profile.

 

It works for both client certificates........., but I still have to test it with client certificates that are revoked (I'm waiting for the provider to provide me two certificates that are revoked)

 

 

Hille