Automaticlly update CRL

Always love a good scripting challenge. 😉 Here's another version that adds some capabilities:

1. Aggregates multiple CRLs into a single file - in the event that you have multiple CAs in your CA bundle and have to validate against multiple CRLs.

2. Checks the expiration date against an established threshold value before updating.

There are two files:

1. The INI file that lists the CRL publishers. I created a special directory under /config to hold this, and it lists each CRL path on a separate line. Here's a sample of the INI file:

http://ca.alpha.com/crl/crl.alpha.com.crl

http://ca.bravo.com/crl/crl.bravo.com.crl

2. The script:

!/bin/bash

 set path to staged CRLs
crl_path=/config/dev/crl/

 set client SSL profile name
clientssl_prof=test-sslcrof

 set INI file path
crl_ini=/config/dev/crlupdate.ini

 set acceptable threshold in seconds (172800 seconds = 2 days)
crl_threshold=172800

 FUNCTIONS 
GET_CURRENT_CRL() {
   remote_path=$1
   remote_name=$2
    get the current CRL (or retrieve if missing)
   if [ ! -f $crl_path$remote_name ]
   then
       file does not exist - go get it
      logger -p local0.info -t CRLUPDATE "Error: File ($crl_path$remote_name) doesn't exist - attempting to retrieve it"
      ret=`curl --url $remote_path$remote_name --remote-name --silent --write-out "%{http_code}"`
      if [ $ret -eq 200 ] && [ -f $remote_name ]
      then
          got a new CRL (and we know/assume it's current)
         mv $remote_name $crl_path
          convert a copy to PEM format
         openssl crl -in $crl_path$remote_name -inform DER -outform PEM -out $crl_path$remote_name.PEM
         HAS_UPDATED=1
         return 0
      else
          didn't get CRL - error and log
         rm -f $remote_name
         logger -p local0.info -t CRLUPDATE "Error: Could not retrieve CRL ($remote_name) from ($remote_path)"
         return 1
      fi
   else
       already have the CRL - now check to see if it's valid     

       get the current date
      this_date=`date +%s`

       extract the date from the current CRL
      this_crl_date_literal=`openssl crl -in $crl_path$remote_name -inform DER -noout -nextupdate |sed s/nextUpdate=//`
      this_crl_date=`date -d "$this_crl_date_literal" +%s`

       compare current date and current CRL date for threshold
      if [ $this_date -ge $(($this_crl_date - $crl_threshold)) ]
      then
          crl date exceeds threshold - crl is about to expire or has expired - fetch the new crl
         logger -p local0.info -t CRLUPDATE "Error: Current CRL exceeds the threshold (is expired or about to expire)"
         ret=`curl --url $remote_path$remote_name --remote-name --silent --write-out "%{http_code}"`
         if [ $ret -eq 200 ] && [ -f $remote_name ]
         then
             got a new CRL (and we know/assume its current)
            mv $remote_name $crl_path
             convert a copy to PEM format
            openssl crl -in $crl_path$remote_name -inform DER -outform PEM -out $crl_path$remote_name.PEM
            HAS_UPDATED=1
            return 0
         else
             didn't get CRL - error and log
            rm -f $remote_name
            logger -p local0.info -t CRLUPDATE "Error: Could not retrieve CRL ($remote_name) from ($remote_path)"
            return 1
         fi
      else 
          CRL is current
         return 0
      fi
   fi
}
 END FUNCTIONS 

HAS_UPDATED=0

 loop through CRL ini file to retrieve listed CRLs
while read p
do
   file=${p*/}
   path=`echo $p |sed s/$file//`
   GET_CURRENT_CRL $path $file
done < $crl_ini

if [ $HAS_UPDATED == 1 ]
then
    only proceed if some CRLs have been updated
   logger -p local0.info -t CRLUPDATE "Some CRLs have been updated - push to client SSL profile"

    delete existing crl concat files in path
   rm -f crl.*

    concat the existing PEM CRLs
   this_date=`date +%s`
   big_crl=crl.$this_date
   for f in $crl_path*.PEM
   do
      echo " $f" >>$big_crl
      cat $f >>$big_crl
   done

    upload the new CRL to the system
   tmsh install sys crypto crl $big_crl from-local-file $big_crl

    get the current CRL from the stated client SSL profile and replace with new CRL
   curr_crl=`tmsh list ltm profile client-ssl $clientssl_prof crl-file |grep crl-file |sed s/crl-file//`
   tmsh modify ltm profile client-ssl $clientssl_prof crl-file $big_crl

    remove the old CRL from the system
   tmsh delete sys crypto crl $curr_crl
else
    no CRL has been updated
   logger -p local0.info -t CRLUPDATE "All CRLs are up to date"
fi

There are 4 variables that you have to modify:

set path to staged CRLs

 

crl_path=/config/dev/crl/

This is where you'll stage and cache the CRLs.

set client SSL profile name

 

clientssl_prof=test-sslcrof

This is the name of the client SSL profile that will be modified.

set INI file path

 

crl_ini=/config/dev/crlupdate.ini

This is the physical location of the INI file.

set acceptable threshhold in seconds (172800 seconds = 2 days)

 

crl_threshold=172800

This is the threshold that you specify before a CRL will be updated.

The script will parse the INI file and for each line (CRL path) run the GET_CURRENT_CRL function. If the CRL doesn't exist in the cache, as defined by crl_path, it'll go get a new one. If one does exist it'll check its date against the threshold and go get a new one if it exceeds the threshold. If it has to get a new CRL for any of the CRLs in the INI, it'll set HAS_UPDATED to 1, which will then cause the script to aggregate all of the CRLs into a single file and replace the existing CRL in the client SSL profile. It'll give the new CRL a name based on the date (ie. crl.date).