Forum Discussion
svs
Cirrostratus
CirrostratusSSL client profile - certificate authentication - multiple CRL files
Hi guys,
currently I'm running a tests with certificate-based user authentication, using LTM/APM. In general everything is working fine, except for the fact, that there is no option to check sev...
For one of my customers a bash script was created to download the crl's and with openssl concat them into one crl. (the list of crl's to download was created in a data group)
This crl is then placed in the configuration, replacing the "old" crl file.tmsh modify sys file ssl-crl "allcrl.crl" source-path file:"newcrl.crl
Your client ssl profile will point ti allcrl.crl containing all the revoced certificated from the CA's in the datagroup.
Cheers,
Kees
_JOHN_Altocumulus
Kees
Sorry to post a random question in reply to one of your old comments!
If you happen to see this, I was wondering if you could please expand further on what you meant by "download the crl's and with openssl concat them into one crl"?
I have seen a few Dev Central posts where folks have simply concatenated PEM CRL files at the CLI, e.g. using 'cat' in bash. However I know that openssl only 'sees' the first CRL in such a concatenated 'bundle', and when I queried F5 operation in a support request the answer was that concatenated PEM files weren't supported, e.g. couldn't use them as the CRL referenced in a client SSL profile.
However you mentioned concatenation using openssl. Is there a way to produce a valid single CRL file somehow from two seperate CRLs using openssl? CRLs are signed by the relevant CA, so I'm not sure how the end file would look, but if it is possible I would really appreciate any info you can provide.
Cheers,
John