4

CRL Authentication Enhancements

• Understanding CRL authentication
• Configuring CRL distribution points

Understanding CRL authentication

When presented with a client certificate, the BIG-IP system sometimes needs to assess the revocation state of that certificate before accepting the certificate and forwarding the connection to a target server. We recommend that you use Online Certificate Status Protocol (OCSP) to perform client certificate verification. OCSP is an industry-standard protocol that ensures that the BIG-IP system always obtains real-time revocation status during the certificate verification process. For more information on how to configure OCSP, see the BIG-IP New Features Guide for PTF-04, Chapter 2, Online Certificate Status Protocol for the BIG-IP System.

If your configuration prevents you from using OSCP, the BIG-IP system supports the use of CRL distribution points as an alternative to OCSP for use with its SSL proxy feature. A Certificate Revocation List (CRL) is a list of revoked client certificates, which a server system can check during the process of verifying a client certificate. CRLs can be stored on one or more LDAP servers.

Enhancements to CRL authentication

This release includes several enhancements to CRL functionality, including the addition of CRL management using distribution points, and a configurable update interval that refreshes CRLs at a specified interval.

Before you configure any of the following CRL features, you should review the section on Authentication in the BIG-IP Reference guide version 4.5, Chapter 7.

Note: These features are only configurable using the command line utility.

Configuring CRL distribution points

CRL distribution points are a mechanism used to distribute certificate revocation information across a network. Distribution points are Uniform Resource Identifiers (URIs) or directory names specified in certificates that identify how CRL information is obtained by the server. Distribution points can be used in conjunction with CRLs to configure certificate authorization using any number of LDAP servers.

Activating distribution points

To enable the CRL distribution point feature, type the bigpipe proxy command, using the following arguments:

bp proxy <ip_addr>:<service> [clientssl] crldp <enable | disable>

To assign the LDAP base directory name for certificates that specify the CRL distribution point in directory name format, type the bigpipe proxy command, using the following arguments.

where:

<base_dn> is either a URI or directory name, depending on what is defined in the client certificate:

bp proxy <ip_addr>:<service> [clientssl] crldp ldapserver [<base dn> <ldap server ip> <ldap port>]

In order for distribution points to work correctly, URIs and directory names specified in the proxy must match the names in the CRL exactly.

Tip
If you are specifying a directory name that contains an equals sign, you need to use the following standard UNIX format: \"base_dn\".

Setting the update interval for CRL distribution points

CRL files can become outdated, and might need to be updated as often as every day, or as seldom as every 30 days. If your CRL file is out-of-date, the BIG-IP system rejects all certificates, both valid and invalid. Certificates are rejected until the SSL proxy fetches a new CRL. For this reason, it is important to keep your CRL files up-to-date at all times.

You can specify an update interval for CRL distribution points. The update interval for distribution points ensures that CRL status is checked at regular intervals, regardless of the CRL timeout. This helps to prevent CRL information from becoming outdated before the BIG-IP system checks the status of a certificate. To specify the update interval for CRL distribution points, type the bigpipe proxy command using the following arguments. The update interval setting is disabled by default (0).

bp proxy <ip_addr>:<service> [clientssl] crldp update interval <0 or (5-60)>

Setting the time-to-live for retrievals

To set the time-to-live (TTL) in minutes for successful retrievals, type the bigpipe proxy command, using the following arguments. The default is 60 minutes.

bp proxy <ip_addr>:<service> [clientssl] crldp ttl OK <10 to 1440>

To set the TTL in minutes for failed retrievals, type the bigpipe proxy command, using the following arguments. The default is 5 minutes.

bp proxy <ip_addr>:<service> [clientssl] crldp ttl FAILED <1 to 60>

To set the TTL for pending retrievals, type the bigpipe proxy command, using the following arguments. The default is 1 minute.

bp proxy <ip_addr>:<service> [clientssl] crldp ttl PENDING <1 to 5>

Configuring CRL skip processing for CRL distribution points

When it is only necessary to check the user certificate, and not CRL distribution points for the entire CRL chain, you can enable skip crlchain. This option is disabled by default.

To enable the skip check feature, type the bigpipe proxy command, using the following arguments:

bp proxy <ip_addr>:<service> [clientssl] crldp skip crlchain <enable | disable>

Allow the use of previously retrieved CRLs when current retrievals fail

When current CRL distribution point retrievals fail or are pending, you can allow the use of previously retrieved CRLs. This option is disabled by default.

To enable this feature, type the bigpipe proxy command, using the following arguments:

bp proxy <ip_addr>:<service> [clientssl] crldp allow failure <enable | disable>