Sample Linux script to update CRL file from Certificate Authority

Problem this snippet solves:

CRL files are signed lists of revoked serial numbers issued by a specific Certificate Authority (Verisign, Godaddy, GlobalSign, etc). There are several advanced methods of dealing with revoked certificates, the best of which is OCSP stapling. Other methods are OCSP responders or CRL Distribution Points.

However, for small or internal projects, some administrators rely on simply using straight-up CRL files. After a time, the administrator will realize he or she needs to automate this process with a script. The administrator can automate this process on the BIG-IP itself with an iCall script. Here's a link to a great example of the iCall solution.

However, some administrators many need to use a straight-up Linux device to pull and copy the CRL files around to many different devices, only one of which is the BIG-IP.

How to use this snippet:

This is a sample of a Linux script that pulls down a CRL file from GoDaddy, verifies it and then copies it to BIG-IP.

1. Ensure that the Linux device can copy files directly to the BIG-IP via ssh-key authentication.

2. Modify the 'f5' variable of the script to point to the BIG-IP. If not using GoDaddy, find the URL of the CRL file for the appropriate CA.

3. If the 'ssl-crl' object hasn't been created on the BIG-IP yet, then it must be done manually the first time. Download the CRL, copy it to the BIG-IP's /var/tmp area. Then login to the BIG-IP and issue the following command:

   tmsh modify sys file ssl-crl gdcrl source-path file:/var/tmp/CRL

After that, the script should work.

Code :

#!/bin/bash
#
# script to download a CRL from GoDaddy CA.
# See this page for GoDaddy CRL information:
#     https://certs.godaddy.com/repository

# Verify CRL
# Convert CRL
# Copy to BIG-IP

# exit on error to prevent copying corrupt CRL to BIG-IP
set -e

f5=yourbigip.com
f5port=22

crlurl=https://certs.godaddy.com/repository/mastergodaddy2issuing.crl
gdcrturl=https://certs.godaddy.com/repository/gdig2.crt
gdcrt=gdig2.crt

echo "Automated CRL update Script"
echo "Downloading from $crlurl"
echo "Copying to ${f5}:${f5port}"
echo "Last line should be SUCCESS"
echo "---- GO ----"

if [ ! -f $gdcrt ]; then
echo "Fetching GoDaddy Certificate"
curl $gdcrturl > $gdcrt
fi

cf=gdroot.crl
last=last.crl

if [ -f $cf ]; then
if [ ! -s $cf ]; then
echo "Found existing zero-length CRL file, deleting"
rm -f $cf
else
echo "Found existing $cf - moving to backup"
mv $cf $last
fi
fi

echo "Downloading CRL file $cf"
curl $crlurl > $cf

echo "Testing $cf for readability"
test -f $cf
test -r $cf

echo "Testing to see if $cf is zero length"
test -s $cf

if [ -f $last ]; then
echo "Testing if $cf is newer than backup file $last"
if [ ! $cf -nt $last ]; then
echo "File not changed. SUCCESS"
fi
fi

echo "Verifying CRL against certificate, converting to PEM format"
openssl crl -inform DER -CAfile $gdcrt -in $cf -outform PEM -out ${cf}.pem

echo "Testing PEM for zero length"
test -s ${cf}.pem

echo "Copying CRL file to bigip"
scp -P ${f5port} ${cf}.pem root@${f5}:/var/tmp

echo "Importing CRL into system"
echo "   this may fail if object was never created - replace 'modify' with 'create'"

ssh root@${f5} -p ${f5port} "tmsh modify sys file ssl-crl gdcrl source-path file:/var/tmp/${cf}.pem"

echo "SUCCESS"