Forum Discussion

EP1's avatar
EP1
Icon for Altocumulus rankAltocumulus
Apr 17, 2020

Support dynamic CRL check for clientSSL profile (BIG-IP 15.1)

Hi,

 

Did anyone tested  (dynamic) CRL validator object for client SSL profile? (BIG-IP v15.1):

It should work in v 15.1 (fixed bug 743758 -  https://cdn.f5.com/product/bugtracker/ID743758.html )

 

 

 

I'm getting following errors for all client certificates:

 

err tmm1[21207]: 01a40008:3: Unable to build certificate trust chain for profile /clientssl_profile

tmm1[21207]: 01260009:4: clientIP:62042 -> VIP:443: Connection error: ssl_hs_do_crl_validation:6014: alert(46) unknown certificate error

 

 

With CRL File it works ok, but file does not automatically fetch, check, and cache CRL files…

 

Kr,

EPX

 

application delivery
BIG-IP
certificate
clientssl
crl
crldp
LTM
security
  • RadekR's avatar
    RadekR
    Icon for Altocumulus rankAltocumulus
    Mar 14, 2021

    It works for me:

    Skip step 1 and 2 if you want to use external proxy server for forwarding the CRL request to the CRL server.

    1. Crate DNS Resolver (Network-->DNS Resolvers-->DNS Resolver List-->Create)

    2. Open DNS Resolver created in step 1, go to "Forward Zones" tab and add appropriate zones with DNS servers.

    3. Create an internal proxy (GUI-->System-->Services-->Internal Proxies-->Create)

    Assign DNS Resolver created in step 1 (no external proxy) or enable "Use Proxy Server" and specify LTM pool with proxy server (external proxy server).

    4. Create Traffic Certificate Management CRL object (GUI-->System-->Certificate Management --> Traffic Certificate Management --> CRL)

    Assign internal proxy created in step 3.

    5. Assign CRL object created in step 5 to Client SSL profile with client authentication enabled:

    Open GUI-->Local Traffic-->Profiles-->SSL-->Client-->profile_name

    Go to Client Authentication section and set:

    Client Certificate to request/require this will enable client authentication

    Trusted Certificate Authorities to CA that you want to trust

    CRL to object created in step 2.

     

    • MAbbas's avatar
      MAbbas
      Icon for Cirrus rankCirrus
      Mar 07, 2022

      Hi - i followed the steps specified above but CRL checks are not working on my device 

      i have 16.1 running - i created resolver and forward zone in it - 

      also created a proxy and pool 

      neither the Dns resolver - nor the proxy pool are getting any hits . meaning counters are 0 

      and i get the same error message EP1

       

      • EP1's avatar
        EP1
        Icon for Altocumulus rankAltocumulus
        Mar 29, 2022

        Hi,

        I've included root certificates to Advertised and Trusted bundle, and that solved this error...