Hi, I am a new user with F5 LTM and I have some problem with configuring my virtual server to manage several CA:s. The problem I am having is how to manage the CRLs. It seems that I can only check the CA:s from only one CRL list. Any ideas on how to solve this? thanks Sebastian

Hello, You can define a script that retrieve all crls and then concatenate both crls into a single file. Then, you can update the crl object within bigip using a tmsh command.

You can use the following tmsh command : tmsh modify /sys file ssl-crl test.crl source-path $file

Thanks for the answer Yann! it seems to work when i concatenate two small files (only 30kb) but when i use the file I need to use, which is much larger (15mb) I get an error in the LTM GUI (An error has occurd while trying to process your request)

need to accept several CA on one virtual server

12 Replies

Yann_Desmarest_
Nacreous
Mar 24, 2016
Hello,

You can define a script that retrieve all crls and then concatenate both crls into a single file.

Then, you can update the crl object within bigip using a tmsh command.
- Yann_Desmarest_
  Nacreous
  Mar 24, 2016
  You can use the following tmsh command : tmsh modify /sys file ssl-crl test.crl source-path $file
- sebbenw_230133
  Nimbostratus
  Mar 28, 2016
  Thanks for the answer Yann! it seems to work when i concatenate two small files (only 30kb) but when i use the file I need to use, which is much larger (15mb) I get an error in the LTM GUI (An error has occurd while trying to process your request)
- Saravanan_M_K
  Employee
  Mar 29, 2016
  CRL file size has limitations. See https://support.f5.com/kb/en-us/solutions/public/10000/000/sol10054.html
Yann_Desmarest
Cirrus
Mar 24, 2016
Hello,

You can define a script that retrieve all crls and then concatenate both crls into a single file.

Then, you can update the crl object within bigip using a tmsh command.
- Yann_Desmarest
  Cirrus
  Mar 24, 2016
  You can use the following tmsh command : tmsh modify /sys file ssl-crl test.crl source-path $file
- sebbenw_230133
  Nimbostratus
  Mar 28, 2016
  Thanks for the answer Yann! it seems to work when i concatenate two small files (only 30kb) but when i use the file I need to use, which is much larger (15mb) I get an error in the LTM GUI (An error has occurd while trying to process your request)
- Saravanan_M_K
  Employee
  Mar 29, 2016
  CRL file size has limitations. See https://support.f5.com/kb/en-us/solutions/public/10000/000/sol10054.html
Hannes_Rapp
Nimbostratus
Mar 29, 2016
Yann's answer is a good solution, but there are limitations. I do not remember the exact BigIP version, but I got the same error whenever my generic bundle-certificate files got larger than ~100 certs per file. I believe if you use CRL your limits are higher, but they exists. The numbers probably are higher with more recent BigIP versions. You may contact F5 to get a confirmation of limitations, and exact figures for your version; or just keep decreasing the number of certificates, until it works.

Apart from that, you will need to look for a workaround where the CRL is hosted externally.
Yann_Desmarest
Cirrus
Mar 29, 2016
Alternatively, if you are using APM, you can configure an OCSP responder (for example a Microsoft 2012R2 Server) to get live revocation status. The Microsoft server is able to handle multiple sources of CRLs simultaneously.