F5 LTM V11 CRL file uploading Error

I believe the file size limit for flat CRLs is still 4mb. Here are a few alternatives:

1. OCSP - by far the best and fastest revocation mechanism (if you can support it), sends a single (tiny) certificate validation request (issuer and cert serial) to a remote OCSP service. Depending on you platform you may have OCSP already available to you as an LTM Authentication profile. Otherwise this is accomplished with the Access Policy Manager (APM) module.

    

2. CRLDP - this mechanism downloads and caches a remote CRL based on the CRLDP field of a certificate (user or issuer). Because it's a potentially large file, initial revocation checks can stall while the complete file is downloading. Afterwards it is cached for some length of time. CRLDP is also (possibly) available as an LTM Authentication profile, or otherwise with APM. Currently, only LDAP-based CRL retrieval is supported (not HTTP). I do not believe there is a file size limitation in the APM CRLDP cache.

    

3. Extract serial numbers to a table - a bit more complicated than the other options, use a shell script to manage and download remote CRLs, then fill a session table with serial numbers (via services VIP). The session table can handle upwards of 700k records. You don't get the warm fuzzy of a "signed" receipt, but it'll get the job done. If you have multiple CRLS, create multiple session tables, or better if the serial numbers are sequential, split them into several smaller tables that will more easily spread across the TMM instances, and then catalog where each table starts and ends.

    

Your mileage may vary with the last two options, so I highly recommend the first.