Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Machine Certificate Revocation Checks

Hi guys,

Just a quick one. Can you use a CRLDP AAA server to validate machine certificates? As far as I can see this can only be done using an OCSP responder but I just wanted to confirm.

Thanks

Peter

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Okay, this one took some time to figure out. So long story short, it wouldn't normally work because the CRLDP and (standalone) OCSP AAA agents require two inputs:

session.ssl.cert.whole
session.ssl.cert.certissuer

This is complicated by the fact that:

  1. The machine cert check doesn't create either of these.

  2. The machine certificate (PEM-encoded) data is only stored and accessible if you enable the "Save Certificate in a session variable" option in the Machine Cert Checker agent.

  3. The machine cert check saves the subject name string of the issuer, but the OCSP and CRLDP agents need the actual PEM-encoded issuer cert. The On-Demand Cert Auth agent stores the issuer's complete PEM-encoded certificate in the cache.

To get around this I had to do the following:

  • VPE

Image Text

  • Machine Cert Auth - modify as required

Image Text

  • Variable Assign - here I'm manually setting session.ssl.cert.whole from the machine cert's session.check_machinecert.last.cert.cert session variable, and then importing the entire PEM issuer certificate into the session.ssl.cert.certissuer session variable. If you have multiple issuer certs, you may have to create some switching or iRule logic to assign the correct value based on the issuer subject string from session.check_machinecert.last.cert.issuer.

Image Text

  • OCSP or CRLDP Auth - modify as required
1
Comments on this Answer
Comment made 14-May-2014 by vandenhoutenp 103
Hi Kevin, WOW! Thank you so much for this, I really appreciate it. I'll give that a go! Thanks Peter
0
Comment made 07-Nov-2014 by Marvin 430
Hi Kevin, I configured the APM with cert authentication and CRL lookup with the variable assign you described above. The CRL lookup appears to succeed but there is an error message in the APM logfile; Nov 7 12:34:34 nllb003p warning apd[8576]: 0149015e:4: 308e3198: CRLDP Auth agent: CRL lookup failed for LDAP url 'ldap:///CN=ENTCACRV(1),CN=SWCFR0013,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ADCRV,DC=CRV4ALL,DC=COM?certificateRevocationList?base?objectClass=cRLDistributionPoint' reason 'No valid host found' If I analyse the CRL lookup using HTTP I succesfully retrieve the CRL list from the CA server / CRLDP. If I revoke a client personal certificate it is still processed succesfully. There seems to be a problem with the CRL lookup, any ideas? Marvin
0
Comment made 07-Nov-2014 by Marvin 430
It doesn't matter if I revoke the certificate the message will alwasys show up in the APM logs
0
Comment made 07-Nov-2014 by Marvin 430
I can mail you the complete APM log output if you'd like please let me know thanx, Marvin
0
Comment made 07-Nov-2014 by Marvin 430
Nov 7 12:34:34 nllb003p info apd[8576]: 01490007:6: 308e3198: Session variable 'session.check_machinecert.last.cert.cn' set to 'ENTCACRV' Nov 7 12:34:34 nllb003p info apd[8576]: 01490007:6: 308e3198: Session variable 'session.check_machinecert.last.cert.issuer' set to '/DC=COM/DC=CRV4ALL/DC=ADCRV/CN=ENTCACRV' Nov 7 12:34:34 nllb003p info apd[8576]: 01490007:6: 308e3198: Session variable 'session.check_machinecert.last.cert.serial' set to '346986C00001000003A2' Nov 7 12:34:34 nllb003p info apd[8576]: 01490007:6: 308e3198: Session variable 'session.check_machinecert.last.cert.subject' set to '' Nov 7 12:34:34 nllb003p info apd[8576]: 01490007:6: 308e3198: Session variable 'session.check_machinecert.last.certificate_revoked' set to '0' Nov 7 12:34:34 nllb003p info apd[8576]: 01490007:6: 308e3198: Session variable 'session.check_machinecert.last.certificate_verified' set to '1' Nov 7 12:34:34 nllb003p info apd[8576]: 01490007:6: 308e3198: Session variable 'session.check_machinecert.last.error_message' set to 'No error' Nov 7 12:34:34 nllb003p info apd[8576]: 01490007:6: 308e3198: Session variable 'session.check_machinecert.last.result' set to '1' Nov 7 12:34:34 nllb003p info apd[8576]: 01490007:6: 308e3198: Session variable 'session.check_machinecert.last.signature_verified' set to '1' Nov 7 12:34:34 nllb003p info apd[8576]: 01490004:6: 308e3198: Executed agent '/Common/perform_cert_check_act_variable_assign_ag', return value 0 Nov 7 12:34:34 nllb003p info apd[8576]: 01490006:6: 308e3198: Following rule 'fallback' from item 'Variable Assign' to item 'CRLDP Auth' Nov 7 12:34:34 nllb003p warning apd[8576]: 0149015e:4: 308e3198: CRLDP Auth agent: CRL lookup failed for LDAP url 'ldap:///CN=ENTCACRV(1),CN=SWCFR0013,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ADCRV,DC=CRV4ALL,DC=COM?certificateRevocationList?base?objectClass=cRLDistributionPoint' reason 'No valid host found' Nov 7 12:34:34 nllb003p info apd[8576]: 01490004:6: 308e3198: Executed agent '/Common/perform_cert_check_act_crldp_auth_ag', return value 0 Nov 7 12:34:34 nllb003p info apd[8576]: 01490006:6: 308e3198: Following rule 'Successful' from item 'CRLDP Auth' to item 'Message Box' Nov 7 12:34:34 nllb003p info apd[8576]: 01490004:6: 308e3198: Executed agent '/Common/perform_cert_check_act_message_box_2_ag', return value 3 Nov 7 12:34:34 nllb003p info apd[8576]: 01490007:6: 308e3198: Session variable 'session.crldp./Common/perform_cert_check_act_crldp_auth_ag.result' set to '1' Nov 7 12:34:34 nllb003p info apd[8576]: 01490007:6: 308e3198: Session variable 'session.crldp.last.result' set to '1'
0
Comment made 07-Nov-2014 by Marvin 430
Finally the Nov 7 12:34:34 nllb003p info apd[8576]: 01490007:6: 308e3198: Session variable 'session.ssl.cert.certissuer and Nov 7 12:34:34 nllb003p info apd[8576]: 01490007:6: 308e3198: Session variable 'session.ssl.cert.whole' includes the issuer certificate
0
Comment made 16-May-2016 by chris100 53
Hi, using the above method and appears to work as expected but when 'verify signature' is enabled in the CRLDP AAA object the policy always fails with 'failed to verify signature'. I'm mapping the correct certissuer variable and have compared the logs with the on-demand cert checker and the variable mappings are exactly the same. Are there any other variables required as input to CRLDP policy item to make the 'verify signature' work apart from session.ssl.cert.certissuer and session.ssl.cert.whole when coming from a machine auth action? Does this feature work when using the method above? v11.6hf5
0
Comment made 03-Oct-2017 by Stanislas Piron 10641

Hi,

I had the same requirement for a client and Kevin solution is working fine.

I used the following variable assign :

session.ssl.cert.whole = Session Variable session.check_machinecert.last.cert.cert
session.ssl.cert.certissuer = Session Variable session.check_machinecert.last.cert.issuer   

@ Kevin : the machine issuer is stored in the session.check_machinecert.last.cert.issuer. I'm not sure to understand this sentence :

If you have multiple issuer certs, you may have to create some switching or iRule logic to assign the correct value based on the issuer subject string from session.check_machinecert.last.cert.issuer.

Does it mean that if there is more than 1 intermediate CA, all are included in this variable and we have to set only the issuer in the variable session.ssl.cert.certissuer?

0
Comment made 03-Oct-2017 by Kevin Stewart

It's been a while since I've checked it, but I believe it returns all of the issuers in a list.

0
Comment made 03-Oct-2017 by Stanislas Piron 10641

Thanks Kevin for the quick reply.

all of the issuers : this is what I don't understand... In my mind, a certificate has 1 issuer. I am wrong?

If session.check_machinecert.last.cert.issuercan contain multiple certificates issuers, why session.ssl.cert.certissuer can't contain multiple issuers?

I told with another engineer and it seems your solution provided here is used by lots of customers. that's why I'm trying to find a generic solution for all same projects.

Stanislas

0
Comment made 03-Oct-2017 by Kevin Stewart

The path from the root CA to the user cert is a chain, and that chain can contain multiple subordinate CAs.

Root -> SubCA -> SubCA -> SubCA -> SubCA -> User

where each SubCA is a subordinate of the CA above it. When a client presents its certificate, it (usually) will include all of the known subordinate CAs in the chain (everything up to but not including the root CA). So the session.check_machinecert.last.cert.issuer session variable will contain all of these. In what format it stores them I don't remember, but assuming it's a list.

0
Comment made 03-Oct-2017 by Stanislas Piron 10641

OK, thank you.

Is session.ssl.cert.certissuercan contain SubCA chain too or only the last SubCA?

As I told in my comment, I copied session.check_machinecert.last.cert.issuer to session.ssl.cert.certissuer but the configuration was (like most of companies):

Root -> SubCA -> User

So I'm not sure it will work for all companies or only for deployments with only 1 intermediate CA.

I hope next experts who will read this thread with such requirement will comment it with the right answer :-)

0
Comment made 03-Oct-2017 by Kevin Stewart

Hmm.

I believe there was a time when access did report all of the certs in the chain, but I'm testing it now on 13.0 and it only stores the immediate issuer (closest to the user). If the cert chain does contain multiple subordinates, the client will usually send all of them, but access is only storing the last one.

You can see this in action if you do client cert auth in the client SSL profile and log the issuer cert(s):

when CLIENTSSL_HANDSHAKE {
    log local0. "issuer count: [SSL::cert count]"

    for {set x 0} {$x < [SSL::cert count]} {incr x} {
        log local0. "issuer: [X509::issuer [SSL::cert $x]]"
    }
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks Kevin. The solution works like a charm.

Is it possible to have CRLDP auth if OCSP is not available?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

This solution looks to be working in my case, up to the point where I want to check the machine certificate against CRL list with CRLDP check - server connection: no server, so direct HTTP access.

It sometimes fetches the new CRL, sometimes not - based on TCPDUMP and firewall logs.

I was thinking about CRL cache. So I modified the attributes of the CRLDP server:

Cache Timeout: 10 seconds

Update Interval: 5 seconds

I did this just to be sure that while I am testing this policy, F5 fetched fresh CRL every time I reach the policy.

Scenario: machine certificate was added to CRL list, CRLDP correctly denied access. Then the certificate was removed from CRL list, and since then CRLDP still keeps denying access. It looks like it's using cached copy of the CRL, although I configured the CRLDP to update CRL every 5 seconds.

Anybody faced this issue too?

0