SSL CRL import

I figured adding it in the certificate section would be the way to go. NOPE, I get "Key Mismatch" and it fizzles.you may have to verify whether certificate and private key matches. if so, importing them to ssl certificate section, set them in clientssl profile and finally assign it to virtual server.

 

 

sol6746: Verifying SSL certificate and key pairs from the command line (9.x - 10.x)

 

http://support.f5.com/kb/en-us/solutions/public/6000/700/sol6746.html

Are you trying to import a CRL file or a cert and key? A CRL file doesn't have a private key. If you meant a cert and key, Nitass's link should help.

 

 

Aaron

oops, thanks Aaron. i just noticed CRL in the title. :D

 

 

i think you have seen this sol before but just in case.

 

 

Certificate Revocation List

 

The Certificate Revocation List (CRL) setting allows you to specify a CRL that the BIG-IP should use to check revocation status of a certificate prior to authenticating a client.

 

 

If you want to use a CRL, you must upload it to the /config/ssl/ssl.crl directory on the BIG-IP system. The name of the CRL file may then be entered in the Certificate Revocation List (CRL) setting dialog box.sol10167: Overview of the Client SSL profile

 

http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html

I think this may b ea winner! I'll let you know how it works out.

 

How would you upload a CRL file if the device is in Appliance Mode?

has to go through tmsh then or configuration utility since the restriction is as below (and no bash).

 

 

Administrative access is limited to the Configuration utility, bigpipe shell (bpsh), and the Traffic Management Shell (tmsh).

 

 

Can check this out https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/aft/2161991/showtab/groupforums/Default.aspx

 

Thanks BT but there's no option in the GUI and the solution in the link assumes the file is on the box already. My problem is how to get the file on the box in the first place.

I dont have a box with appliance box but saw SOL stating possible but from the "System ›› Device Certificates : Device Certificate ›› Device Certificate"

 

 

http://support.f5.com/kb/en-us/solutions/public/13000/800/sol13823.html

 

 

Thanks BT but that won't work for importing a CRL. I wonder if this can be done via the serial console or if even that would force me into tmsh. No way of checking myself.

You can still login as admin using the serial console, it's worth a try I'd say.