F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

EP1's avatar
EP1
Icon for Altocumulus rankAltocumulus
Apr 17, 2020

Support dynamic CRL check for clientSSL profile (BIG-IP 15.1)

Hi,   Did anyone tested  (dynamic) CRL validator object for client SSL profile? (BIG-IP v15.1): It should work in v 15.1 (fixed bug 743758 -  https://cdn.f5.com/product/bugtracker/ID743758.html ) ...
application delivery
BIG-IP
certificate
clientssl
crl
crldp
LTM
security
RadekR's avatar
RadekR
Icon for Altocumulus rankAltocumulus
Mar 14, 2021

It works for me:

Skip step 1 and 2 if you want to use external proxy server for forwarding the CRL request to the CRL server.

1. Crate DNS Resolver (Network-->DNS Resolvers-->DNS Resolver List-->Create)

2. Open DNS Resolver created in step 1, go to "Forward Zones" tab and add appropriate zones with DNS servers.

3. Create an internal proxy (GUI-->System-->Services-->Internal Proxies-->Create)

Assign DNS Resolver created in step 1 (no external proxy) or enable "Use Proxy Server" and specify LTM pool with proxy server (external proxy server).

4. Create Traffic Certificate Management CRL object (GUI-->System-->Certificate Management --> Traffic Certificate Management --> CRL)

Assign internal proxy created in step 3.

5. Assign CRL object created in step 5 to Client SSL profile with client authentication enabled:

Open GUI-->Local Traffic-->Profiles-->SSL-->Client-->profile_name

Go to Client Authentication section and set:

Client Certificate to request/require this will enable client authentication

Trusted Certificate Authorities to CA that you want to trust

CRL to object created in step 2.