Forum Discussion

JoeTheFifth's avatar
JoeTheFifth
Icon for Altostratus rankAltostratus
May 25, 2011

F5 SSL CRL Config

Hi Guys,

 

 

I'm new here. Just registered today. I'm not an F5 expert but I use the Virtual edition in my SharePoint private test lab.

 

We have come across an issue in our work test lab. Here are the details.

 

I would like your point of view or recommendations on how to solve this:

 

We have two SharePoint servers behind an F5 appliance. We configured an SSL profile to upgrade the SharePoint sites to HTTPS.

 

We have the root+intermediate+webapplication certificates (all the chain) on the F5. Everything is working great BUT when I try to edit a work file from the SharePoint site I get a revocation check request.

 

Out test lab is not connected to the internet and some of our production clients are not connected to the internet.

 

If we uncheck the box in IE (check server certificate) the message disappears.

 

We don't want this message to appear for our clients and we don't want to touch IE config.

 

Question: is it possible to make the F5 appliance supply the revocation list for our clients. I read that configuring CRL per profile is possible but I'm not sure if it's intended only for use by the F5 appliance to check the certificate revocation list for itself or if this config can be published to clients so they can check the CRL on the appliance instead of trying to the hard coded url (verisign :

 

http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl) in the certificate. Something in the line of intermediate certificate config.

 

 

here is the link which talks about CRL config: http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_1/ltm_ssl_profiles.html1298333

 

 

Please your feedback. Thanks
  • What's the message the client shows when the CRL download attempt fails on the client? Which browser(s) do you see this with?

     

     

    I think the CRL setting on the client SSL profile is only used if you're requesting or requiring a client cert. It is then used to determine whether the cert the client presents has been revoked or not. So I don't think there is an LTM-specific fix for this.

     

     

    Aaron
  • Hi Aaron,

     

     

    thanks for your reply.

     

     

    We use IE8.

     

    The message is :

     

    Revocation information for the security certificate for this site is not available. Do you want to proceed? [Yes] [No] [View certificate]

     

     

    Looks like we have the same comprehension of the CRl settings on the LTM. I also think it is used by the LTM to verify client certificates and cannot be used to supply a CRL for the client on behalf of Verisgn for example;