Forum Discussion
Automaticlly update CRL
Came across similar issue when a PKI I was working with did not support OCSP and the CRLDP setup would not work due to the CRLDP info in the cert being without a hostname i.e. ldap:///CN=... (http://support.f5.com/kb/en-us/solutions/public/12000/900/sol12975.html?sr=22851678)
So only workaround was implementing a scripted download/update to CRL file, from an 11.1 box, so thought I'd add what I did here, basically modifying the above script to suit with a few extras.
Note that if you save the script in /root/ then I am told the script won't be wiped out if you upgrade OS/apply hotfix etc. However, the crontab entry may be wiped out if you upgrade OS/apply hotfix I believe - havn't tested it. The script also has some additional error checking and emails out a notification if there's an error in curl getting the file.
!/bin/sh
NOTE:
- Remember that you need to manually import a CRL file through the GUI with the same name as the one use by this
script FIRST, otherwise the config 'touch' will fail. Load it through Local Traffic -> SSL Certificate List
- Remember to make this script executable (chmod 700 or as applicable) and test it from CLI first
- Add it to crontab (crontab -e), e.g. if you want to run it on the hour every hour add 0 * * * * /root/demo_crl.sh
cd /root
mv demo.crl demo.crl.old
fi
rdexec only available in v11.1 - runs a CLI command against a specific route domain see sol13472
Change to your route domain ID (you can omit rdexec entirely for Common route domain)
Change or remove --ntlm -u : if you need AD credentials to download
Enter the name and IP of your PKI server instead of and <1.2.3.4>
rdexec curl -o
demo.crl --ntlm -u : -H 'Host: '
-g http://<1.2.3.4>/certsrv/certcrl?Type=base&Renewal=0&Enc=bin
if [ -f demo.crl ];
then
mv demo.pem demo.crl
This is the v11 location and TMSH command to 'touch' the config
Change to the relevant partition name (or Common) and to the relevant client ssl profile
cat demo.crl > /config/filestore/files_d/_d/certificate_revocation_list_d/\:\:demo.crl_1
tmsh modify ltm profile client-ssl // crl-file //demo.crl
else
Email notify someone if this failed for any reason - need to setup mailhub in /etc/ssmtp/ssmtp.conf ref sol13180
mail -s "CRL retrieval failed" admin@example.com < /dev/null
fi
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com