I have requirement to create a Client certificate authenticated VIP with revocation checks.
The problem is that the client certificate presented can be issued from one of about 100 different CAs.
There is an XML feed which provides me all of the valid CA certificates and I already have a solution to get these into a certificate bundle on the F5, so that's not a problem.
I also have an iRule to check the certificate fingerprint against a whitelist, again this works great.
However, I am required to check for certificate revocation. Each certificate will have either (or both) a CRL distribution point or an OCSP responder listed in its X509 fields.
Is there anyway I can get the 5 to automatically check for certificate revocation against these fields without having to manually import all of the CRL lists and/or setup all the OCSP responders manually?
Or failing that, is the a (simplish) way for the F5 to scan the CA bundle and automatically download all the CRL files and concatenate them.