Forum Discussion
Hi CentOne,
Yes it works for me now, I had to do a workaround for CRL check.
If you are also using a CRL for "Certificate Revocation List (CRL)" within CA profile (Local Traffic > Profiles > SSL > Certificate Authority), then do following:
- uncheck "Update CRL" (in Local Traffic > Profiles > SSL > Certificate Authority > your profile)
- set "Certificate Revocation List (CRL)" to "None" (also in your CA profile)
Then go to Access Policy > AAA Servers > CRLDP, and create new profile here (choose timeout values that fit your environment):
- Server Connection: No Server
- Cache Timeout: 86400
- Use Issuer: unchecked
- Allow Null CRL: unchecked
- Verify Signature: Enabled
- Connection Timeout: 15 seconds
- Update Interval: 0 seconds
Then go to your APM's policy and under the action "Machine Cert Checker" configure following:
- Certificate Store Name: MY
- Certificate Store Location: LocalMachine
- CA Profile: your CA profile discussed above
- Save Certificate in a session variable: Enabled
- Allow User Account Control right elevation prompts: Yes
- Match subject CN with FQDN: Yes
- Match Issuer: the CN of your issuing CA
Right after this action insert "Variable Assign" action to policy and assign two variables:
- session.ssl.cert.whole = (Session Variable) session.check_machinecert.last.cert.cert
- session.ssl.cert.certissuer = (Session Variable) session.check_machinecert.last.cert.issuer.cert
Right after this action insert "CRLDP Auth Agent" action to policy:
- CRLDP Server: choose the one you created under Access Policy > AAA Servers > CRLDP
And that's it, works for me.
FYI, about the CRLDP workaround I learned from Kevin's post here: https://devcentral.f5.com/questions/machine-certificate-revocation-checksanswer160001
Let me know if you are also successful with this configuration.
Hi ,
I tried same config however getting below error and response in APM session logs.
(null):Common:c8a55694: CRLDP Auth agent: CRL lookup failed for LDAP url 'http://abc.dns.com/CDP/filename.crl' reason 'Bad HTTP response status'
Could you suggest how to resolve this issue, Looks F5 not able to resolve domain to CRL server Ip address
Regards,
Sushil Kolekar