Forum Discussion
Support dynamic CRL check for clientSSL profile (BIG-IP 15.1)
It works for me:
Skip step 1 and 2 if you want to use external proxy server for forwarding the CRL request to the CRL server.
1. Crate DNS Resolver (Network-->DNS Resolvers-->DNS Resolver List-->Create)
2. Open DNS Resolver created in step 1, go to "Forward Zones" tab and add appropriate zones with DNS servers.
3. Create an internal proxy (GUI-->System-->Services-->Internal Proxies-->Create)
Assign DNS Resolver created in step 1 (no external proxy) or enable "Use Proxy Server" and specify LTM pool with proxy server (external proxy server).
4. Create Traffic Certificate Management CRL object (GUI-->System-->Certificate Management --> Traffic Certificate Management --> CRL)
Assign internal proxy created in step 3.
5. Assign CRL object created in step 5 to Client SSL profile with client authentication enabled:
Open GUI-->Local Traffic-->Profiles-->SSL-->Client-->profile_name
Go to Client Authentication section and set:
Client Certificate to request/require this will enable client authentication
Trusted Certificate Authorities to CA that you want to trust
CRL to object created in step 2.
- MAbbasMar 07, 2022Cirrus
Hi - i followed the steps specified above but CRL checks are not working on my device
i have 16.1 running - i created resolver and forward zone in it -
also created a proxy and pool
neither the Dns resolver - nor the proxy pool are getting any hits . meaning counters are 0
and i get the same error message EP1
- EP1Mar 29, 2022Altocumulus
Hi,
I've included root certificates to Advertised and Trusted bundle, and that solved this error...
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com