Wireless Access

Reply
Contributor II
Posts: 53
Registered: ‎10-01-2013

Controller certificates and CRL

I am having an issue trying to configure a CRL for my controller certificates.

I already have a windows PKI running, with a working CRL. Have issued a certificate to the controller and uploaded both this and the CA root to the controller. These are to be used for IKEv1 certificate authentification for the controller. This is working well. I also have a public SSL certificate installed for management. 

The certificate is working well, I have tested ike authentication through certificate and it works well. Now I wanted to configure the CRL so I can reject clients with revoked certificates trying to connect to the Aruba controller (With the Aruba VIA client).

 

Reading through the user manaul here I find the info a bit scarce really. It tells you the basic info like give the inputs and  press upload, but doesn't give much of insight into what info :)

I have the certificates, and I have a url which gives me a downloadable .CRL file with the revocation info in it. I am aware that the CRL is signed by the CA, so you would need to bind a crl location to a certificate to validate the authenticity of the CRL info you receive.

 

Now my issue is that when I try to upload a CRL certificate I get a "Error in CRL format" message, and here is where I have a few questions.

What certificate are you supposed to use here, the CAroot certificate? The issued controller certificate?

What requirements is there for this certificate?

Currently I don't have a CRL info in the issued controller certificate, and CA root certificates is better off without it.

Is there a bit more info on this to be found?

MVP
Posts: 1,413
Registered: ‎11-30-2011

Re: Controller certificates and CRL

my experience is a bit limited but i believe the crl can be in DER or PEM format as with certificates, did you try to upload it in both of the formats?

 

do keep in mind the controller is limited to the number of the certificates in the CRL (well actually certificates IDs). you could have a look at OCSP.

Contributor II
Posts: 53
Registered: ‎10-01-2013

Re: Controller certificates and CRL

Hello, yes I understand the limitations, but it is a very small installation and 512 entries should be more than enough, besides CRL option is there so it must work :)

A windows crl list comes in a .CRL file extension, and when I try to upload that I get a invalid extension message, as expected. CRL check are done towards a URL, and you are supposed to configure this after uploading the sertificate as far as I interpret the flow of the configuration.

I have tried der, pem, pcks7 and now have CRL information included in the  certificate, but still end up getting a error in CRL format message. I have a feeling there is some requirements to this that is not detailed in the user guide.

 

MVP
Posts: 1,413
Registered: ‎11-30-2011

Re: Controller certificates and CRL

im not sure if you understood me correctly, you downloaded the CRL directly from the windows CA right?

 

then it will be in DER format, it might be the Aruba controller would like it to be in PEM format, to do that you would do something like:

 

openssl crl -inform DER -outform PEM -in crl.der -out crl.pem

 

did you do that?

 

also CRL checks dont have to be done towards an URL you can check a local CRL file yourself also and some devices can be configured to do so, actually that is what i believe the Aruba will do. you import the CRL file on it so it can check.

Contributor II
Posts: 53
Registered: ‎10-01-2013

Re: Controller certificates and CRL

Nope, I didn't understand you correctly :)

I just downloaded the crl from the url the windows CA publishes it to, and that comes in DER format as you said. Tried the conversion to PEM format, and that worked fine. Was able to import it then to the controller in PEM format. 

However I realize first now that this is a check towards the file as you say, and any change to the CRL that get done, I would have to reupload the file to the controller. That works in this small installation scenario, but hardly an elegant solution :)

MVP
Posts: 1,413
Registered: ‎11-30-2011

Re: Controller certificates and CRL


john654 wrote:
However I realize first now that this is a check towards the file as you say, and any change to the CRL that get done, I would have to reupload the file to the controller. That works in this small installation scenario, but hardly an elegant solution :)

 

correct, that was one of the reasons to point out OCSP as an alternative, CRL has it downsides and the way the controller implements this makes it quite restrictive. ClearPass can download one regulary I believe.

Contributor II
Posts: 53
Registered: ‎10-01-2013

Re: Controller certificates and CRL

Yea, but can you authenticate IKEv1 negotiations towards clearpass?

I believe the only way to get a live check on certificates used for phase 1 in IKE towards the controller is OCSP.

Search Airheads
Showing results for 
Search instead for 
Did you mean: