Hi All, Is possible configure auto-update the CRL? I have BIG-IP v 11. From CA I have downloaded and imported the CRL file. In the Client SSL profile I have configured: Cert - required ... and CRL => imported file. So, how I can configure the aoutomatically update of the CRL file? Is it possible set from GUI, or CLI only? THX

Hi Petras, You could potentially script this, but there isn't a facility within BIG-IP to auto-update the CRL. If you want realtime checking of client certs you could use APM or the Advanced Client Auth module to do OCSP verification. Aaron

Hi Hoolio, thank you for answer. Do you have any idea how to script the download? The CA publish the CRL file only as http. ThX

F5's approach to this problem is poor. This problem must be widespread, but is never adequately addressed, either here in the forum nor on the support site or documentation. Once again, the need for CRL updates has come up for us. In addition to downloading the CRL, we also had the following issues: * The IP address of the CRL server cannot be known in advance (it apparently changes from time to time). We need to use DNS to locate it * We cannot download the file using the DNS name because the internet is not accessible through the default route domain. * The CRL as downloaded is in DER format, so we need to convert it to PEM per the LTM's requirement * Even when a new CRL is in place, the tmm does not read it, so we have to "touch" the config to force it to reload it. We are currently using the following shell script, run once a day from cron, to achieve this. Note that this uses the bigpipe utility, which will not work in v11. It also needs a bit more error checking. ------------------------------------------------------------------------ !/bin/sh cd /var/tmp delete the old temporary files rm demo.crl demo.pem get the current IP address of the CRL server CRLIP4=`dig demo.example.com A | grep '^demo.*[0-9]$' | awk '{print $5}'` convert it to the IPv6 route domain 5 address CRLIP6=`rdip $CRLIP4\%5` if [ $? -eq 0 ]; then download the CRL faking the host header because we're using an IP address in the request curl -v -O -H 'Host: demo.example.com' -g http://[$CRLIP6]/crl/demo.crl if [ -f demo.crl ]; then convert the CRL from DER to PEM openssl crl -inform der -in demo.crl -out demo.pem rm demo.crl mv demo.pem /config/ssl/ssl.crl/ set the administrative parition to update the config bigpipe shell write partition mypartition 'touch' the clientssl profile so tmm re-reads the crl bigpipe profile clientssl demo-clientssl crl file demo.pem fi fi ------------------------------------------------------------------------ The above script refers to a script "rdip", which we pinched from elsewhere on the forums. It converts an IPv4 address with the route domain number appended to the special IPv6 address. This is shown below: ------------------------------------------------------------------------ !/bin/bash F5_RD_HEADER="2620:0:c10:f501:0:" F5_RD_HEADER="2610:0:c10:f501:0:" HOST_ADDRESS=${1/\%*} ROUTE_DOMAIN=${1/*\%} if [ ! -z $ROUTE_DOMAIN ]; then host_parts=($(echo $HOST_ADDRESS | grep -Po "\d+")) printf "%s%x:%x:%x\n" $F5_RD_HEADER $ROUTE_DOMAIN $(((${host_parts[0]} << 8) + ${host_parts[1]})) $(((${host_parts[2]} << 8) + ${host_parts[3]})) exit 0 fi ------------------------------------------------------------------------ I hope this helps

Here is the manual section on validating certificate revocation status. This section covers CRLs, OCSP, and CRLDP. -George

Hi folks, Came across similar issue when a PKI I was working with did not support OCSP and the CRLDP setup would not work due to the CRLDP info in the cert being without a hostname i.e. ldap:///CN=... (http://support.f5.com/kb/en-us/solutions/public/12000/900/sol12975.html?sr=22851678) So only workaround was implementing a scripted download/update to CRL file, from an 11.1 box, so thought I'd add what I did here, basically modifying the above script to suit with a few extras. Note that if you save the script in /root/ then I am told the script won't be wiped out if you upgrade OS/apply hotfix etc. However, the crontab entry may be wiped out if you upgrade OS/apply hotfix I believe - havn't tested it. The script also has some additional error checking and emails out a notification if there's an error in curl getting the file. !/bin/sh NOTE: - Remember that you need to manually import a CRL file through the GUI with the same name as the one use by this script FIRST, otherwise the config 'touch' will fail. Load it through Local Traffic -> SSL Certificate List - Remember to make this script executable (chmod 700 or as applicable) and test it from CLI first - Add it to crontab (crontab -e), e.g. if you want to run it on the hour every hour add 0 * * * * /root/demo_crl.sh cd /root delete the old file if it exists if [ -f demo.crl]; then mv demo.crl demo.crl.old fi if [ $? -eq 0 ]; then Download CRL faking the host header because we're using an IP address in the request rdexec only available in v11.1 - runs a CLI command against a specific route domain see sol13472 Change to your route domain ID (you can omit rdexec entirely for Common route domain) Change or remove --ntlm -u : if you need AD credentials to download Enter the name and IP of your PKI server instead of and <1.2.3.4> rdexec curl -o demo.crl --ntlm -u : -H 'Host: ' -g http://<1.2.3.4>/certsrv/certcrl?Type=base&Renewal=0&Enc=bin wait if [ -f demo.crl ]; then convert the CRL from DER to PEM - ONLY IF NEEDED, my CRL was in PEM format already from above openssl crl -inform der -in demo.crl -out demo.pem rm demo.crl mv demo.pem demo.crl This is the v11 location and TMSH command to 'touch' the config Change to the relevant partition name (or Common) and to the relevant client ssl profile cat demo.crl > /config/filestore/files_d/_d/certificate_revocation_list_d/\:\:demo.crl_1 tmsh modify ltm profile client-ssl // crl-file //demo.crl else Email notify someone if this failed for any reason - need to setup mailhub in /etc/ssmtp/ssmtp.conf ref sol13180 mail -s "CRL retrieval failed" admin@example.com < /dev/null fi fi

Automaticlly update CRL

17 Replies

Kevin_Stewart

Employee

Apr 29, 2013

Always love a good scripting challenge. 😉 Here's another version that adds some capabilities:

1. Aggregates multiple CRLs into a single file - in the event that you have multiple CAs in your CA bundle and have to validate against multiple CRLs.

2. Checks the expiration date against an established threshold value before updating.

There are two files:

1. The INI file that lists the CRL publishers. I created a special directory under /config to hold this, and it lists each CRL path on a separate line. Here's a sample of the INI file:

http://ca.alpha.com/crl/crl.alpha.com.crl

http://ca.bravo.com/crl/crl.bravo.com.crl

2. The script:


!/bin/bash

 set path to staged CRLs
crl_path=/config/dev/crl/

 set client SSL profile name
clientssl_prof=test-sslcrof

 set INI file path
crl_ini=/config/dev/crlupdate.ini

 set acceptable threshold in seconds (172800 seconds = 2 days)
crl_threshold=172800

 FUNCTIONS 
GET_CURRENT_CRL() {
   remote_path=$1
   remote_name=$2
    get the current CRL (or retrieve if missing)
   if [ ! -f $crl_path$remote_name ]
   then
       file does not exist - go get it
      logger -p local0.info -t CRLUPDATE "Error: File ($crl_path$remote_name) doesn't exist - attempting to retrieve it"
      ret=`curl --url $remote_path$remote_name --remote-name --silent --write-out "%{http_code}"`
      if [ $ret -eq 200 ] && [ -f $remote_name ]
      then
          got a new CRL (and we know/assume it's current)
         mv $remote_name $crl_path
          convert a copy to PEM format
         openssl crl -in $crl_path$remote_name -inform DER -outform PEM -out $crl_path$remote_name.PEM
         HAS_UPDATED=1
         return 0
      else
          didn't get CRL - error and log
         rm -f $remote_name
         logger -p local0.info -t CRLUPDATE "Error: Could not retrieve CRL ($remote_name) from ($remote_path)"
         return 1
      fi
   else
       already have the CRL - now check to see if it's valid     

       get the current date
      this_date=`date +%s`

       extract the date from the current CRL
      this_crl_date_literal=`openssl crl -in $crl_path$remote_name -inform DER -noout -nextupdate |sed s/nextUpdate=//`
      this_crl_date=`date -d "$this_crl_date_literal" +%s`

       compare current date and current CRL date for threshold
      if [ $this_date -ge $(($this_crl_date - $crl_threshold)) ]
      then
          crl date exceeds threshold - crl is about to expire or has expired - fetch the new crl
         logger -p local0.info -t CRLUPDATE "Error: Current CRL exceeds the threshold (is expired or about to expire)"
         ret=`curl --url $remote_path$remote_name --remote-name --silent --write-out "%{http_code}"`
         if [ $ret -eq 200 ] && [ -f $remote_name ]
         then
             got a new CRL (and we know/assume its current)
            mv $remote_name $crl_path
             convert a copy to PEM format
            openssl crl -in $crl_path$remote_name -inform DER -outform PEM -out $crl_path$remote_name.PEM
            HAS_UPDATED=1
            return 0
         else
             didn't get CRL - error and log
            rm -f $remote_name
            logger -p local0.info -t CRLUPDATE "Error: Could not retrieve CRL ($remote_name) from ($remote_path)"
            return 1
         fi
      else 
          CRL is current
         return 0
      fi
   fi
}
 END FUNCTIONS 

HAS_UPDATED=0

 loop through CRL ini file to retrieve listed CRLs
while read p
do
   file=${p*/}
   path=`echo $p |sed s/$file//`
   GET_CURRENT_CRL $path $file
done < $crl_ini

if [ $HAS_UPDATED == 1 ]
then
    only proceed if some CRLs have been updated
   logger -p local0.info -t CRLUPDATE "Some CRLs have been updated - push to client SSL profile"

    delete existing crl concat files in path
   rm -f crl.*

    concat the existing PEM CRLs
   this_date=`date +%s`
   big_crl=crl.$this_date
   for f in $crl_path*.PEM
   do
      echo " $f" >>$big_crl
      cat $f >>$big_crl
   done

    upload the new CRL to the system
   tmsh install sys crypto crl $big_crl from-local-file $big_crl

    get the current CRL from the stated client SSL profile and replace with new CRL
   curr_crl=`tmsh list ltm profile client-ssl $clientssl_prof crl-file |grep crl-file |sed s/crl-file//`
   tmsh modify ltm profile client-ssl $clientssl_prof crl-file $big_crl

    remove the old CRL from the system
   tmsh delete sys crypto crl $curr_crl
else
    no CRL has been updated
   logger -p local0.info -t CRLUPDATE "All CRLs are up to date"
fi

There are 4 variables that you have to modify:

set path to staged CRLs

crl_path=/config/dev/crl/

This is where you'll stage and cache the CRLs.

set client SSL profile name

clientssl_prof=test-sslcrof

This is the name of the client SSL profile that will be modified.

set INI file path

crl_ini=/config/dev/crlupdate.ini

This is the physical location of the INI file.

set acceptable threshhold in seconds (172800 seconds = 2 days)

crl_threshold=172800

This is the threshold that you specify before a CRL will be updated.

The script will parse the INI file and for each line (CRL path) run the GET_CURRENT_CRL function. If the CRL doesn't exist in the cache, as defined by crl_path, it'll go get a new one. If one does exist it'll check its date against the threshold and go get a new one if it exceeds the threshold. If it has to get a new CRL for any of the CRLs in the INI, it'll set HAS_UPDATED to 1, which will then cause the script to aggregate all of the CRLs into a single file and replace the existing CRL in the client SSL profile. It'll give the new CRL a name based on the date (ie. crl.date).

hooleylist
Cirrostratus
Apr 29, 2013
Thanks guys! Both examples scream "add me to the codeshare" :)

http://devcentral.f5.com/wiki/AdvDesignConfig.codeshare.ashx

Aaron
AndyCapp_4984
Nimbostratus
Nov 15, 2013
Lovely script, just a side note
while read p do file=${p*/} path=
echo $p |sed s/$file//
GET_CURRENT_CRL $path $file
done < $crl_ini
could be a bit cryptic. Could use dirname(1)
Anderson__Eric_
Nimbostratus
Jul 24, 2014
Used this code to implement and automate process to update the CRL (THANK YOU EVERYONE above!), but have a dilemma. In some cases we may have an issue and need to 'back out' the CRL. Is there a command syntax to remove/disable the setting on the ssl profile? Our automated process automatically re-applies the setting but in all the online documentation, nothing shows how to nullify/remove/clear a value. Right now using "bigpipe profile clientssl demo-clientssl crl file demo.pem" in the above example.

Kevin_Stewart

Employee

Jul 24, 2014

Using tmsh:

tmsh modify ltm profile client-ssl [profile name] crl-file none

Lucas_Thompson_
Historic F5 Account
Aug 13, 2014
Note that for the APM use case of: 1- Request and get client certificate. 2- Validate certificate against CA cert. 3- Check client certificate against CRL hosted on an external HTTP server during Access Policy execution.. It now works correctly. Versions prior to 11.4.0 did not support CRLDP via HTTP. 11.4.0+ does support this, so for APM client use, the problem should be resolved and any kind of script should not be required.
Gicu_337843
Nimbostratus
Nov 20, 2017
Hello everybody. Guys , how can I configure the automatically update of the CRL file in F5 version 13? Thanks.

Forum Discussion

Automaticlly update CRL

17 Replies

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

Auditing Security Policy Updates

iCall CRL update with Route Domains and Auto-Sync

Update your DevCentral user profile

Sample Linux script to update CRL file from Certificate Authority

Building an OpenSSL Certificate Authority - Configuring CRL and OCSP