Forum Discussion
NimbostratusMachine Certificate Revocation Checks
Hi guys,
Just a quick one. Can you use a CRLDP AAA server to validate machine certificates? As far as I can see this can only be done using an OCSP responder but I just wanted to confirm.
Thanks
Peter
2 Replies
myocellaThanks Kevin. The solution works like a charm.
Is it possible to have CRLDP auth if OCSP is not available?
Martin_VlaskoAltocumulus
Hi,
This solution looks to be working in my case, up to the point where I want to check the machine certificate against CRL list with CRLDP check - server connection: no server, so direct HTTP access.
It sometimes fetches the new CRL, sometimes not - based on TCPDUMP and firewall logs.
I was thinking about CRL cache. So I modified the attributes of the CRLDP server:
Cache Timeout: 10 seconds
Update Interval: 5 seconds
I did this just to be sure that while I am testing this policy, F5 fetched fresh CRL every time I reach the policy.
Scenario: machine certificate was added to CRL list, CRLDP correctly denied access. Then the certificate was removed from CRL list, and since then CRLDP still keeps denying access. It looks like it's using cached copy of the CRL, although I configured the CRLDP to update CRL every 5 seconds.
Anybody faced this issue too?
