Hi folks,
Came across similar issue when a PKI I was working with did not support OCSP and the CRLDP setup would not work due to the CRLDP info in the cert being without a hostname i.e. ldap:///CN=... (http://support.f5.com/kb/en-us/solutions/public/12000/900/sol12975.html?sr=22851678)
So only workaround was implementing a scripted download/update to CRL file, from an 11.1 box, so thought I'd add what I did here, basically modifying the above script to suit with a few extras.
Note that if you save the script in /root/ then I am told the script won't be wiped out if you upgrade OS/apply hotfix etc. However, the crontab entry may be wiped out if you upgrade OS/apply hotfix I believe - havn't tested it. The script also has some additional error checking and emails out a notification if there's an error in curl getting the file.
!/bin/sh
NOTE:
- Remember that you need to manually import a CRL file through the GUI with the same name as the one use by this
script FIRST, otherwise the config 'touch' will fail. Load it through Local Traffic -> SSL Certificate List
- Remember to make this script executable (chmod 700 or as applicable) and test it from CLI first
- Add it to crontab (crontab -e), e.g. if you want to run it on the hour every hour add 0 * * * * /root/demo_crl.sh
cd /root
delete the old file if it exists
if [ -f demo.crl]; then
mv demo.crl demo.crl.old
fi
if [ $? -eq 0 ]; then
Download CRL faking the host header because we're using an IP address in the request
rdexec only available in v11.1 - runs a CLI command against a specific route domain see sol13472
Change to your route domain ID (you can omit rdexec entirely for Common route domain)
Change or remove --ntlm -u : if you need AD credentials to download
Enter the name and IP of your PKI server instead of and <1.2.3.4>
rdexec curl -o
demo.crl --ntlm -u : -H 'Host: '
-g http://<1.2.3.4>/certsrv/certcrl?Type=base&Renewal=0&Enc=bin
wait
if [ -f demo.crl ];
then
convert the CRL from
DER to PEM - ONLY IF NEEDED, my CRL was in PEM format already from above
openssl crl -inform
der -in demo.crl -out demo.pem
rm demo.crl
mv demo.pem demo.crl
This is the v11 location and TMSH command to 'touch' the config
Change to the relevant partition name (or Common) and to the relevant client ssl profile
cat demo.crl > /config/filestore/files_d/_d/certificate_revocation_list_d/\:\:demo.crl_1
tmsh modify ltm profile client-ssl // crl-file //demo.crl
else
Email notify someone if this failed for any reason - need to setup mailhub in /etc/ssmtp/ssmtp.conf ref sol13180
mail -s "CRL retrieval failed" admin@example.com < /dev/null
fi
fi