Forum Discussion

2 Replies

  • Thanks Kevin. The solution works like a charm.


    Is it possible to have CRLDP auth if OCSP is not available?


  • Hi,


    This solution looks to be working in my case, up to the point where I want to check the machine certificate against CRL list with CRLDP check - server connection: no server, so direct HTTP access.


    It sometimes fetches the new CRL, sometimes not - based on TCPDUMP and firewall logs.


    I was thinking about CRL cache. So I modified the attributes of the CRLDP server:


    Cache Timeout: 10 seconds


    Update Interval: 5 seconds


    I did this just to be sure that while I am testing this policy, F5 fetched fresh CRL every time I reach the policy.


    Scenario: machine certificate was added to CRL list, CRLDP correctly denied access. Then the certificate was removed from CRL list, and since then CRLDP still keeps denying access. It looks like it's using cached copy of the CRL, although I configured the CRLDP to update CRL every 5 seconds.


    Anybody faced this issue too?