Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Support dynamic CRL check for clientSSL profile (BIG-IP 15.1)

EP1
Altocumulus
Altocumulus

‎17-Apr-2020 02:19

Hi,

 

Did anyone tested  (dynamic) CRL validator object for client SSL profile? (BIG-IP v15.1):

It should work in v 15.1 (fixed bug 743758 -  https://cdn.f5.com/product/bugtracker/ID743758.html )

 

 

0691T000008cpJHQAY.png

 

I'm getting following errors for all client certificates:

 

err tmm1[21207]: 01a40008:3: Unable to build certificate trust chain for profile /clientssl_profile

tmm1[21207]: 01260009:4: clientIP:62042 -> VIP:443: Connection error: ssl_hs_do_crl_validation:6014: alert(46) unknown certificate error

 

 

With CRL File it works ok, but file does not automatically fetch, check, and cache CRL files…

 

Kr,

EPX

 

Labels:
3 REPLIES 3

RadekR
Altocumulus
Altocumulus

‎14-Mar-2021 15:23

It works for me:

Skip step 1 and 2 if you want to use external proxy server for forwarding the CRL request to the CRL server.

1. Crate DNS Resolver (Network-->DNS Resolvers-->DNS Resolver List-->Create)

2. Open DNS Resolver created in step 1, go to "Forward Zones" tab and add appropriate zones with DNS servers.

3. Create an internal proxy (GUI-->System-->Services-->Internal Proxies-->Create)

Assign DNS Resolver created in step 1 (no external proxy) or enable "Use Proxy Server" and specify LTM pool with proxy server (external proxy server).

4. Create Traffic Certificate Management CRL object (GUI-->System-->Certificate Management --> Traffic Certificate Management --> CRL)

Assign internal proxy created in step 3.

5. Assign CRL object created in step 5 to Client SSL profile with client authentication enabled:

Open GUI-->Local Traffic-->Profiles-->SSL-->Client-->profile_name

Go to Client Authentication section and set:

Client Certificate to request/require this will enable client authentication

Trusted Certificate Authorities to CA that you want to trust

CRL to object created in step 2.

 

0 Kudos

MAbbas
Cirrus
Cirrus
In response to RadekR

‎06-Mar-2022 21:24

Hi - i followed the steps specified above but CRL checks are not working on my device 

i have 16.1 running - i created resolver and forward zone in it - 

also created a proxy and pool 

neither the Dns resolver - nor the proxy pool are getting any hits . meaning counters are 0 

and i get the same error message EP1

 

0 Kudos

EP1
Altocumulus
Altocumulus
In response to MAbbas

‎29-Mar-2022 06:37

Hi,

I've included root certificates to Advertised and Trusted bundle, and that solved this error...

0 Kudos
Copyright © 2023 Khoros, LLC