Why we CRL? OCSP?

Question

I am  wondering, Why we check client certificate using CRL? or OCSP?
Since i am  holding the Public Certicate and private ket in my f5 box? 
Client are just accessing my website?  How client certificate if compromised , it will breach my web server security?&nbsp;

leonardo_souza · Answer

You just use that to check if the certificate still valid or not.
If you are not doing client authentication, there is nothing to check.&nbsp;
Check this articles, as it has diagrams showing the different types of SSL handshake.&nbsp;
https://devcentral.f5.com/articles/ssl-profiles-part-1&nbsp;
On the other hand, the client itself (most likely a browser), will use some kind of validation to check that the certificate still valid, can be one of those methods or not.&nbsp;

Forum Discussion

Why we CRL? OCSP?

1 Reply

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Building an OpenSSL Certificate Authority - Configuring CRL and OCSP

Configuring OCSP Stapling on BIG-IP

OCSP Responder

OCSP through an outbound explicit proxy

OCSP HTTP Header Specification/Example or field name of EDIPI?