Forum Discussion

Abdessamad_851's avatar
Icon for Nimbostratus rankNimbostratus
Dec 06, 2018

Dynamic OCSP and CRLDP check for SSL Client Authentication



I have a use case where a virtual server is configured with a client ssl profile and client authentication is enabled.


The client certificates can be signed by any CA in a bundle that is assigned to the profile as well.


We want to enable the revocation status check based on the information of the certificate, it can be either CRLDP or OCSP.


There are some configuration objects in "Local Traffic >> Profiles >> Authentication" but these profiles need static URLs for the CRLDP and OCSP.


I also read that this is based on the ACA module that has been deprecated.


So I would assume that the only solution would be the APM module, but I would like to get a clear answer if possible.


Thanks a lot.




1 Reply

  • CRL checking can be done within the SSL profile but does not automatically update the CRL file which needs to be loaded on to the F5. However, I wrote an iCall script solution to this issue which also doesn't put devices within a none auto sync device group out of sync.


    iCall CRL update with Route Domains and Auto-Sync


    For OCSP checking, and doing it correctly, you need APM I do not know of another way to do this other than maybe with iRules LX but not look at it in enough detail to say for sure. So APM is your best option if you really want to use OCSP for revocation checking.