Forum Discussion
NimbostratusDynamic CRL check on APM
Hi there!
I am trying to get a certificate authentication working on a BigIP APM. Certificates coming from two different CAs must be able to authenticate. CRLs must are fetched using HTTP.
I am able to get the issuer (session.ssl.cert.issuer) but i did not find the way to dynamicly compare the certificate to the correct CRL (as it would be possible using CRLDP or OCSP Auth)
Any ideas? Regards,
\Franco
1 Reply
- Kevin_Stewart
Employee
As you've probably noticed, APM supports OCSP and CRLDP for certificate revocation checking. OCSP is an HTTP/OCSP call to a remote service and does not require direct access to the CRL, while CRLDP fetches the remote CRL (as defined in the certificate) and compares it locally. Currently, the CRLDP mechanism only supports LDAP-based retrieval.
