Forum Discussion
svs
Cirrostratus
CirrostratusSSL client profile - certificate authentication - multiple CRL files
Hi guys,
currently I'm running a tests with certificate-based user authentication, using LTM/APM. In general everything is working fine, except for the fact, that there is no option to check sev...
svsCirrostratus
CirrostratusI'm gonna summarize the (working) solution, clarified with the Support.
The only built-in solution for working with HTTP-based CRLs is CRLDP. CRLDP with HTTP is not working with pure LTM, but within APM (no CRLDP profile, but an CRLDP agent in VPE). Only HTTP scheme is supported, not HTTPS (that should be a very rare case, if any).
If there is not CDP defined within a certificate, CRLDP will only work in conjunction with LDAP, manually configured with a proper CRLDP profile or agent.
In LTM, CRLDP profile supports LDAP. In APM, CRLDP agent supports LDAP/HTTP. This information is valid for TMOS 11.4 to 14.1.
If there is a need for working with multiple CRL files and
- LDAP/HTTP is not available or* only HTTP is available in LTM-only mode
you need to use alternative solutions, mostly based on bash scripts (https://devcentral.f5.com/questions/automaticlly-update-crl).
There is an RFE (ID743758, "RFE: support dynamic CRL check for clientSSL profile"), requesting support for dynamic CRL files. I'm not sure about the content and this is related to CRLDP and/or multiple CRL files. Feel free to support this RFE with your cases. ;-)
Greets,
svs