Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Certificate revocation - CRL

This thread has been viewed 11 times

  • 1.  Certificate revocation - CRL

    Posted Apr 05, 2012 04:22 PM
    Hello, How can I configure my controller to get CRL. Our customer publishes their CRL list via an http url.. So Aruba controller should be access to this URL and get CRL periodically..Then check cert revoke. There is a CRL location option in the controller, But I could not find how can I set it.. Controller should be learn CRL location from CDP info in the certificate. Note:They dont use OCSP service. Firmware: 6.1.2.8 Thanks,


  • 2.  RE: Certificate revocation - CRL

    Posted Apr 05, 2012 05:40 PM

    I don't think the controller will automaticaly download the CRL distribution point and check for recovation status. You have to manually import the CRL to the controller and the controller will check the revocation status based on the imported list. CRL support is limited. I think the controller supports a total of 512 certificate serial number. The best option would be to move to OCSP. Hopefully someone else on the community have a workaround. 

     

    For more information on CRL and OCSP see the ArubaOS user guide, chapter 11 certificate revocation.

     

    Regards,

    Sathya



  • 3.  RE: Certificate revocation - CRL

    Posted Apr 05, 2012 07:44 PM

    If the CRL is for EAP-TLS authentication, consider ClearPass Policy Manager. It can download CRLs periodically via http URL.

     

    Pattabhi.



  • 4.  RE: Certificate revocation - CRL

    Posted Sep 12, 2019 10:20 AM
      |   view attached

    This is old, but nobody ever answer the poor persons question.  On a small deployment with a more closed environment, CRL works good.  No you can't get the controller to download the CRL.  But you can.  Steps to get this working. 

     

    1.  Issue a new CRL.  If your doing this manually consider making the CRL for a longer period.  Some are configured for as short as 1 day.  You can't admin a box by uploading a CRL daily. 

     

    2.  Upload to the Controller.  I called mie "crl".  Certificate Type is CRL and certificate format is "DER". 

     

    3.  Add CRL as a revocation check method:

     

    This was added when I uploaded to my controller.  Keeping the names simple, makes things simple.  KISS is my design goal.  I do part in the gui and the rest command line.  You can do both from either.  So this is what is added after I upload using the GUI:

     

    crypto-local pki CRL crl ca.crl

     

    So lets add it to the configuration:


    crypto-local pki rcp "cacert_ec"
    crl-location file "crl"
    revocation-check crl

     

    My CA is called "cacert_ec".

     

    Since I called my uploaded CRL as "CRL" we reference it as such.  The commands are done in this order. 

     

    crl-location file "crl"

     

    Then we change change the recovation method from "NONE" to "CRL"

     

    revocation-check crl

     

    You do not like some implementations have to build the CRL location into your certficate.  

     

    Remember CRL does scale well.  You must upload a new CRL everytime you revoke a certificate and before the uploaded CRL expires.  Works better in a closed environment where few control it all. 

     

    Please see attached.  Note in the picture that the reference number for the crl file is one.  If your at zero, then your not doing it right. 

     

    Remember proper policy will keep you out of trouble.  You must have a method to your madness.  That method is your policy.