Forum Discussion
Automaticlly update CRL
Is possible configure auto-update the CRL?
I have BIG-IP v 11. From CA I have downloaded and imported the CRL file. In the Client SSL profile I have configured: Cert - required ... and CRL => imported file.
So, how I can configure the aoutomatically update of the CRL file?
Is it possible set from GUI, or CLI only?
THX
17 Replies
- Hi Petras,
- Hi Hoolio,
- F5's approach to this problem is poor. This problem must be widespread, but is never adequately addressed, either here in the forum nor on the support site or documentation.
- Here is the manual section on validating certificate revocation status. This section covers CRLs, OCSP, and CRLDP.
- Hi folks,
Came across similar issue when a PKI I was working with did not support OCSP and the CRLDP setup would not work due to the CRLDP info in the cert being without a hostname i.e. ldap:///CN=... (http://support.f5.com/kb/en-us/solutions/public/12000/900/sol12975.html?sr=22851678)
So only workaround was implementing a scripted download/update to CRL file, from an 11.1 box, so thought I'd add what I did here, basically modifying the above script to suit with a few extras.
Note that if you save the script in /root/ then I am told the script won't be wiped out if you upgrade OS/apply hotfix etc. However, the crontab entry may be wiped out if you upgrade OS/apply hotfix I believe - havn't tested it. The script also has some additional error checking and emails out a notification if there's an error in curl getting the file.
!/bin/shNOTE:- Remember that you need to manually import a CRL file through the GUI with the same name as the one use by thisscript FIRST, otherwise the config 'touch' will fail. Load it through Local Traffic -> SSL Certificate List- Remember to make this script executable (chmod 700 or as applicable) and test it from CLI first- Add it to crontab (crontab -e), e.g. if you want to run it on the hour every hour add 0 * * * * /root/demo_crl.shcd /rootdelete the old file if it existsif [ -f demo.crl]; thenmv demo.crl demo.crl.oldfiif [ $? -eq 0 ]; thenDownload CRL faking the host header because we're using an IP address in the requestrdexec only available in v11.1 - runs a CLI command against a specific route domain see sol13472Change to your route domain ID (you can omit rdexec entirely for Common route domain)Change or remove --ntlm -u : if you need AD credentials to downloadEnter the name and IP of your PKI server instead of and <1.2.3.4>rdexec curl -o demo.crl --ntlm -u : -H 'Host: ' -g http://<1.2.3.4>/certsrv/certcrl?Type=base&Renewal=0&Enc=binwaitif [ -f demo.crl ]; thenconvert the CRL from DER to PEM - ONLY IF NEEDED, my CRL was in PEM format already from aboveopenssl crl -inform der -in demo.crl -out demo.pemrm demo.crlmv demo.pem demo.crlThis is the v11 location and TMSH command to 'touch' the configChange to the relevant partition name (or Common) and to the relevant client ssl profilecat demo.crl > /config/filestore/files_d/_d/certificate_revocation_list_d/\:\:demo.crl_1tmsh modify ltm profile client-ssl // crl-file //demo.crlelseEmail notify someone if this failed for any reason - need to setup mailhub in /etc/ssmtp/ssmtp.conf ref sol13180mail -s "CRL retrieval failed" admin@example.com < /dev/nullfifi - Nice Evan. Very similar to my script once I converted to v11. One thing I would do differently is not overwrite the old crl when you download the new one, test if the new one exists, them rename it. That way if the download fails you still have the original crl.
- Another suggestion. You can import the file using tmsh. This is the 11.1 syntax, it looks like it might be different for 11.2
This moves the file into place and 'touches' the config.tmsh modify /sys file ssl-crl democrl source-path file:/root/demo.crl
Another version. Note that this is only tested on 11.1.x and a F5 active/standby cluster.
REMOVED
Removed post. Code contained error.
Wth is wrong with this board? I can't even edit posts decently... Anyway, this is the correct bugfix:
!/bin/sh NOTE: - Remember that you need to manually import a CRL file through the GUI with the same name as the one use by this script FIRST, otherwise the config 'touch' will fail. Load it through Local Traffic -> SSL Certificate List. TMSH="/usr/bin/tmsh" TMPFILE=`/bin/mktemp` || { echo "Failed to create temp file. Exiting"; exit 1; } if [ -e "$TMSH" ]; then STATUS=`$TMSH show sys failover` else echo "tmsh not found" exit 1 fi case "$STATUS" in *active*) echo "Active F5: Continuing..." ;; *standby*) echo "Standby F5: Exiting." ;; *) echo "Unknown status: Exiting." exit 1 esac /usr/bin/curl -f -o $TMPFILE -H 'Host: HOSTNAME' -g http://HOSTNAME/demo.crl if [ $? -ne 0 ]; then echo "Error getting CRL file. Exiting." exit 1 fi if [ -f $TMPFILE ] && [ -s $TMPFILE ]; then convert the CRL from DER to PEM - ONLY IF NEEDED, my CRL was in PEM format already from above openssl crl -inform der -in demo.crl -out demo.pem rm demo.crl mv demo.pem demo.crl $TMSH modify /sys file ssl-crl demo.crl source-path file:$TMPFILE if [ $? -eq 0 ]; then $TMSH run /cm config-sync to-group /Common/CLUSTERNAME else echo "crl upload fail. Exiting." /bin/rm $TMPFILE exit 1 fi else echo "No crl file found or crl file empty. Exiting." exit 1 fi /bin/rm $TMPFILE
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com