Machine Certificate Check - why does it fail?

Hi CentOne,

Yes it works for me now, I had to do a workaround for CRL check.

If you are also using a CRL for "Certificate Revocation List (CRL)" within CA profile (Local Traffic > Profiles > SSL > Certificate Authority), then do following:

• uncheck "Update CRL" (in Local Traffic > Profiles > SSL > Certificate Authority > your profile)
• set "Certificate Revocation List (CRL)" to "None" (also in your CA profile)

Then go to Access Policy > AAA Servers > CRLDP, and create new profile here (choose timeout values that fit your environment):

• Server Connection: No Server
• Cache Timeout: 86400
• Use Issuer: unchecked
• Allow Null CRL: unchecked
• Verify Signature: Enabled
• Connection Timeout: 15 seconds
• Update Interval: 0 seconds

Then go to your APM's policy and under the action "Machine Cert Checker" configure following:

• Certificate Store Name: MY
• Certificate Store Location: LocalMachine
• CA Profile: your CA profile discussed above
• Save Certificate in a session variable: Enabled
• Allow User Account Control right elevation prompts: Yes
• Match subject CN with FQDN: Yes
• Match Issuer: the CN of your issuing CA

Right after this action insert "Variable Assign" action to policy and assign two variables:

• session.ssl.cert.whole = (Session Variable) session.check_machinecert.last.cert.cert
• session.ssl.cert.certissuer = (Session Variable) session.check_machinecert.last.cert.issuer.cert

Right after this action insert "CRLDP Auth Agent" action to policy:

• CRLDP Server: choose the one you created under Access Policy > AAA Servers > CRLDP

And that's it, works for me.

FYI, about the CRLDP workaround I learned from Kevin's post here: https://devcentral.f5.com/questions/machine-certificate-revocation-checksanswer160001

Let me know if you are also successful with this configuration.