Forum Discussion
NimbostratusMachine Cert Auth and CRLDP issue
Hello!
I´m having a issue with CRLDP checking for clients that are connecting with the F5 Edge client. The edge client passes every VPE box but it fails when it comes to the "CRLDP Auth". The error message in the APM log are: CRLDP Auth agent: Failure status 'No CRL distribution point found in the certificate'
I´ve verified that the Machine Cert has a CRL field in the certificate. URL=http://crl.xyz.se/ROOT-CA.crl
I´m using the "No Server" option in the CRLDP configuration.
Thanks in advance.
youssef1Cumulonimbus
Hello,
For information, the CRLDP function does not currently support HTTP-based CRL fetching, only LDAP. The number indicates the support ID assigned to track the request.
So you have to use LDAP CRL URL and not HTTP-BASED CRL...
Check what is waiting by F5:
A client certificate issued by a Certificate Authority (CA) may contain CRLDP information in the following formats: X.500 Directory Name HTTP or FTP URI LDAP URI The following example is a snippet of the CRLDP information presented in LDAP URI format with a hostname: [1]CRL Distribution Point Distribution Point Name: Full Name: URL=ldap://win2k3-1.sglab.askf5.com/CN=win2k3-1,CN=win2k3-1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration, DC=sglab,DC=askf5,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint The following example is a snippet of the CRLDP information presented in LDAP URI format without a hostname: [1]CRL Distribution Point Distribution Point Name: Full Name: URL=ldap:///CN=win2k3-1,CN=win2k3-1,CN=CDP,CN=Public%20Key%20Services, CN=Services,CN=Configuration,DC=sglab,DC=askf5, DC=com?certificateRevocationList?base?objectClass=cRLDistributionPointhttps://support.f5.com/csp/article/K12975
For information, the enhancement for CRLDP in order to work with HTTP URLs is being tracked in ID325296 (https://devcentral.f5.com/questions/crldp-using-http-url-base-).
Regards,