Overview: Configure CRLDP Authentication¶
About CRLDP authentication¶
A Certificate Revocation List Distribution Point (CRLDP) is an industry-standard protocol for managing SSL certificate revocation on a network or system. CRLDP Authentication checks the standard certificate revocation list (CRL) of revoked (invalid) certificates to determine the revocation status and provide certificate-based access to servers in a network. CRLDP is also an alternative to Online Certificate Status Protocol (OCSP). The main limitation of CRL is that the current state of the CRL requires frequent updates, whereas OCSP checks certificate status in real-time.
BIG-IP Next Access supports retrieving CRLs from network locations (distribution points) to check SSL certificate revocation status. A distribution point is a Uniform Resource Identifier (URI) or directory name specified in a certificate that identifies how the server obtains CRL information. Distribution points can be used with CRLs to configure certificate authorization using any number of LDAP servers. The CRLDP AAA Server defines how to access a CRL file from a distribution point.
When presented with certificates containing different Certificate Revocation List Distribution Point (CRLDP) information, BIG-IP Next, configured with the CRLDP module, may authenticate clients using various methods. Depending on the CRLDP configuration and the CRLDP information in the certificate, BIG-IP Next may authenticate the client using the CRLDP AAA server or the certificate.
About CRLs¶
A certificate revocation list (CRL) is a PEM-formatted file containing a list of revoked certificates attached to the client’s SSL profile. The CRL describes the reason for the certificate’s revoked status and provides the certificate’s issue date and originator. The file also notes its subsequent update and must be kept updated manually. When a user with a revoked SSL certificate attempts to log on to the BIG-IP Next Access, the user is allowed or denied access based on the CRL configured in the profile.