Forum Discussion
AltocumulusSupport dynamic CRL check for clientSSL profile (BIG-IP 15.1)
AltocumulusIt works for me:
Skip step 1 and 2 if you want to use external proxy server for forwarding the CRL request to the CRL server.
1. Crate DNS Resolver (Network-->DNS Resolvers-->DNS Resolver List-->Create)
2. Open DNS Resolver created in step 1, go to "Forward Zones" tab and add appropriate zones with DNS servers.
3. Create an internal proxy (GUI-->System-->Services-->Internal Proxies-->Create)
Assign DNS Resolver created in step 1 (no external proxy) or enable "Use Proxy Server" and specify LTM pool with proxy server (external proxy server).
4. Create Traffic Certificate Management CRL object (GUI-->System-->Certificate Management --> Traffic Certificate Management --> CRL)
Assign internal proxy created in step 3.
5. Assign CRL object created in step 5 to Client SSL profile with client authentication enabled:
Open GUI-->Local Traffic-->Profiles-->SSL-->Client-->profile_name
Go to Client Authentication section and set:
Client Certificate to request/require this will enable client authentication
Trusted Certificate Authorities to CA that you want to trust
CRL to object created in step 2.
MAbbasCirrus
Hi - i followed the steps specified above but CRL checks are not working on my device
i have 16.1 running - i created resolver and forward zone in it -
also created a proxy and pool
neither the Dns resolver - nor the proxy pool are getting any hits . meaning counters are 0
and i get the same error message EP1
EP1Hi,
I've included root certificates to Advertised and Trusted bundle, and that solved this error...
