title: Full-chain CRL Checking for Client Certificate Validation layout: layout161 — Avi Vantage supports use of Certificate Revocation Lists (CRLs). A CRL is a file issued by a certificate authority (CA) that lists certificates that were issued by the CA but have been revoked. When a client sends a request for an SSL connection to a virtual service, Avi Vantage can check the CAs and CRL(s) in the virtual service’s PKI profile to verify whether the client certificate is still valid.

The PKI profile has an option for full-chain CRL checking: Enable CRL Check

Here is an example of a PKI profile with CRL checking enabled. This profile also contains the intermediate and root certificates that form the chain of trust for the server certificate. The profile also contains the CRLs from the issuing authorities for the server and intermediate certificates. The www.root.client.com CRL is used to verify whether certificate www.intermediate.client.com is valid. Likewise, the www.intermediate.client.com CRL is used to verify whether the “client” (leaf) certificate www.client.client.com is valid.

CRL2

Enabling Full-chain CRL Checking

  1. Navigate to Applications > Templates.

  2. Select Security, and click on PKI Profile.

  3. Click on the edit icon next to the PKI profile, or click New to create a new one.

  4. Check (select) Enable CRL Check.

  5. If creating a new profile enter a name and add the key, certificate, and CRL files. Make sure the profile contains a CRL for each intermediate CA in the chain of trust.

  6. Click Save.