Forum Discussion
Automaticlly update CRL
Is possible configure auto-update the CRL?
I have BIG-IP v 11. From CA I have downloaded and imported the CRL file. In the Client SSL profile I have configured: Cert - required ... and CRL => imported file.
So, how I can configure the aoutomatically update of the CRL file?
Is it possible set from GUI, or CLI only?
THX
- Kevin_Stewart
Employee
Always love a good scripting challenge. 😉 Here's another version that adds some capabilities:!/bin/bash set path to staged CRLs crl_path=/config/dev/crl/ set client SSL profile name clientssl_prof=test-sslcrof set INI file path crl_ini=/config/dev/crlupdate.ini set acceptable threshold in seconds (172800 seconds = 2 days) crl_threshold=172800 FUNCTIONS GET_CURRENT_CRL() { remote_path=$1 remote_name=$2 get the current CRL (or retrieve if missing) if [ ! -f $crl_path$remote_name ] then file does not exist - go get it logger -p local0.info -t CRLUPDATE "Error: File ($crl_path$remote_name) doesn't exist - attempting to retrieve it" ret=`curl --url $remote_path$remote_name --remote-name --silent --write-out "%{http_code}"` if [ $ret -eq 200 ] && [ -f $remote_name ] then got a new CRL (and we know/assume it's current) mv $remote_name $crl_path convert a copy to PEM format openssl crl -in $crl_path$remote_name -inform DER -outform PEM -out $crl_path$remote_name.PEM HAS_UPDATED=1 return 0 else didn't get CRL - error and log rm -f $remote_name logger -p local0.info -t CRLUPDATE "Error: Could not retrieve CRL ($remote_name) from ($remote_path)" return 1 fi else already have the CRL - now check to see if it's valid get the current date this_date=`date +%s` extract the date from the current CRL this_crl_date_literal=`openssl crl -in $crl_path$remote_name -inform DER -noout -nextupdate |sed s/nextUpdate=//` this_crl_date=`date -d "$this_crl_date_literal" +%s` compare current date and current CRL date for threshold if [ $this_date -ge $(($this_crl_date - $crl_threshold)) ] then crl date exceeds threshold - crl is about to expire or has expired - fetch the new crl logger -p local0.info -t CRLUPDATE "Error: Current CRL exceeds the threshold (is expired or about to expire)" ret=`curl --url $remote_path$remote_name --remote-name --silent --write-out "%{http_code}"` if [ $ret -eq 200 ] && [ -f $remote_name ] then got a new CRL (and we know/assume its current) mv $remote_name $crl_path convert a copy to PEM format openssl crl -in $crl_path$remote_name -inform DER -outform PEM -out $crl_path$remote_name.PEM HAS_UPDATED=1 return 0 else didn't get CRL - error and log rm -f $remote_name logger -p local0.info -t CRLUPDATE "Error: Could not retrieve CRL ($remote_name) from ($remote_path)" return 1 fi else CRL is current return 0 fi fi } END FUNCTIONS HAS_UPDATED=0 loop through CRL ini file to retrieve listed CRLs while read p do file=${p*/} path=`echo $p |sed s/$file//` GET_CURRENT_CRL $path $file done < $crl_ini if [ $HAS_UPDATED == 1 ] then only proceed if some CRLs have been updated logger -p local0.info -t CRLUPDATE "Some CRLs have been updated - push to client SSL profile" delete existing crl concat files in path rm -f crl.* concat the existing PEM CRLs this_date=`date +%s` big_crl=crl.$this_date for f in $crl_path*.PEM do echo " $f" >>$big_crl cat $f >>$big_crl done upload the new CRL to the system tmsh install sys crypto crl $big_crl from-local-file $big_crl get the current CRL from the stated client SSL profile and replace with new CRL curr_crl=`tmsh list ltm profile client-ssl $clientssl_prof crl-file |grep crl-file |sed s/crl-file//` tmsh modify ltm profile client-ssl $clientssl_prof crl-file $big_crl remove the old CRL from the system tmsh delete sys crypto crl $curr_crl else no CRL has been updated logger -p local0.info -t CRLUPDATE "All CRLs are up to date" fi
- hoolio
Cirrostratus
Thanks guys! Both examples scream "add me to the codeshare" :) - AndyCapp_4984
Nimbostratus
Lovely script, just a side notewhile read p do file=${p*/} path=
GET_CURRENT_CRL $path $file done < $crl_iniecho $p |sed s/$file//
could be a bit cryptic. Could use dirname(1)
- Anderson__Eric_
Nimbostratus
Used this code to implement and automate process to update the CRL (THANK YOU EVERYONE above!), but have a dilemma. In some cases we may have an issue and need to 'back out' the CRL. Is there a command syntax to remove/disable the setting on the ssl profile? Our automated process automatically re-applies the setting but in all the online documentation, nothing shows how to nullify/remove/clear a value. Right now using "bigpipe profile clientssl demo-clientssl crl file demo.pem" in the above example.
- Kevin_Stewart
Employee
Using tmsh:
tmsh modify ltm profile client-ssl [profile name] crl-file none
- Lucas_Thompson_Historic F5 AccountNote that for the APM use case of: 1- Request and get client certificate. 2- Validate certificate against CA cert. 3- Check client certificate against CRL hosted on an external HTTP server during Access Policy execution.. It now works correctly. Versions prior to 11.4.0 did not support CRLDP via HTTP. 11.4.0+ does support this, so for APM client use, the problem should be resolved and any kind of script should not be required.
- Gicu_337843
Nimbostratus
Hello everybody. Guys , how can I configure the automatically update of the CRL file in F5 version 13? Thanks.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com