Create Your Own Certificate Authority
Problem this snippet solves: The main goal of this article is to share an easy way to create your own Certificate Authority (CA) for your lab enviroment with APM module. REF - https://github.com/DariuSGB/LabCA This repository is composed by a set of scripts that give you an easy way to: Create your own root CA. Create your own intermediate CA, signed by your root CA. Create your own certs, signed by your intermediate CA or your root CA. Create your own OCSP cert, for using it in your OCSP responder. Create your own CRL cert, for using it directly in your APM. Revoke your certs (remember to refresh your CRL cert after that). Create your own PKCS#12 cert (from regular PEM certs/keys) for installing it in your windows enviroment. Invoke a OCSP responder of your certs enviroment (remember to create a OCSP cert first). How to use this snippet: Download and install your enviroment using these commands: git clone https://github.com/DariuSGB/LabCA.git cd LabCA chmod +x $(ls | grep -v README) Tested this on version: 14.1
Script for External Monitor to check server OCSP Stapling Status
Problem this snippet solves: Many BIG-IPs do not have DNS configured to ensure that traffic can continue flowing even during a DNS hiccup (you know they happen). But this lack of DNS makes name-based checking like OCSP stapling difficult. BIG-IP therefore doesn't try to check the OCSP Stapling status of the servers in a pool it is bridging SSL traffic to. One solution to this problem is to use a BIG-IP External Monitor to check the revocation status of servers in a server pool. How to use this snippet: Save this snippet to a file on your desktop. From the BIG-IP GUI, choose the System panel on the left. Then choose File Management. Then choose External Program File List. Upload the file that you saved to the desktop, and give it an appropriate name such as MyOCSPmonitor. From the GUI, select Local Traffic and then Monitors. Create a new monitor with type External. Ensure that the External Program field is set to the OCSP monitor object you just created (MyOCSPmonitor). Because OCSP status is not something that is likely to change often, use long intervals (on the order of minutes rather than seconds) and timeouts. Note that you can use 'revoked.grc.com:443' for testing :) If you don't have DNS configured on the BIG-IP,use the IP address of revoked.grc.com instead of the hostname. Code : #!/bin/sh # # OCSP stapling status monitor # # these arguments supplied automatically for all external pingers: # $1 = IP (::ffff:nnn.nnn.nnn.nnn notation or hostname) # $2 = port (decimal, host byte order) # $3 and higher = additional arguments # # $MONITOR_NAME = name of the monitor # # In this sample script, $3 is the regular expression # # Name of the pidfile pidfile="/var/run/$MONITOR_NAME.$1..$2.pid" # Send signal to the process group to kill our former self and any children # as external monitors are run with SIGHUP blocked if [ -f $pidfile ] then kill -9 -`cat $pidfile` > /dev/null 2>&1 fi echo "$$" > $pidfile # Remove the IPv6/IPv4 compatibility prefix node_ip=`echo $1 | sed 's/::ffff://'` # ================================================================= # OCSP Stapling # # it's better to check for 'Revoked' and use that as a trigger for # down rather than looking for success. There's ton of other # reasons that a node might be unavailable to report its status # (down for maintenance, network # hiccoughs, etc). # # Note that you can use 'revoked.grc.com:443' for testing :) # # Use the on-box openssl utility to query ocspstatus # ================================================================= cnt=`echo -e "GET /" | openssl s_client -status -connect ${node_ip}:$2 2> /dev/null | grep -A20 ^OCSP.Response.Data: | grep -c "Cert Status: revoked"` if [ $cnt -eq 0 ] then # Remove the pidfile before the script echoes anything to stdout and is killed by bigd rm -f $pidfile echo "up" fi # Remove the pidfile before the script ends rm -f $pidfile