Forum Discussion
Squeak_117117
Nimbostratus
NimbostratusMachine Cert Auth and CRLDP issue
Hello!
I´m having a issue with CRLDP checking for clients that are connecting with the F5 Edge client. The edge client passes every VPE box but it fails when it comes to the "CRLDP Auth". The er...
youssef1
Cumulonimbus
CumulonimbusHello,
For information, the CRLDP function does not currently support HTTP-based CRL fetching, only LDAP. The number indicates the support ID assigned to track the request.
So you have to use LDAP CRL URL and not HTTP-BASED CRL...
Check what is waiting by F5:
A client certificate issued by a Certificate Authority (CA) may contain CRLDP information in the following formats:
X.500 Directory Name
HTTP or FTP URI
LDAP URI
The following example is a snippet of the CRLDP information presented in LDAP URI format with a hostname:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap://win2k3-1.sglab.askf5.com/CN=win2k3-1,CN=win2k3-1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,
DC=sglab,DC=askf5,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
The following example is a snippet of the CRLDP information presented in LDAP URI format without a hostname:
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=ldap:///CN=win2k3-1,CN=win2k3-1,CN=CDP,CN=Public%20Key%20Services,
CN=Services,CN=Configuration,DC=sglab,DC=askf5,
DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
https://support.f5.com/csp/article/K12975
For information, the enhancement for CRLDP in order to work with HTTP URLs is being tracked in ID325296 (https://devcentral.f5.com/questions/crldp-using-http-url-base-).
Regards,
