Certificate revocation lists
A certificate issued by a CA typically remains valid until its expiration date. However, in some circumstances, the CA might revoke the issued certificate before the expiration date. For example, when an owner’s private key is compromised, a company’s or individual’s name changes, or the association between the subject and the CA changes.
A Certificate Revocation List (CRL) identifies invalid certificates by serial number and issuer.
Certificate authorities issue CRLs regularly. You can configure the Citrix ADC appliance to use a CRL to block client requests that present invalid certificates.
If you already have a CRL file from a CA, add that to the Citrix ADC appliance. You can configure refresh options. You can also configure the Citrix ADC to sync the CRL file automatically at a specified interval, from either a web location or an LDAP location. The appliance supports CRLs in either the PEM or the DER file format. Be sure to specify the file format of the CRL file being added to the Citrix ADC appliance.
If you have used the ADC as a CA to create certificates that are used in SSL deployments, you can also create a CRL to revoke a particular certificate. This feature can be used, for example, to ensure that self-signed certificates that are created on the Citrix ADC are not used either in a production environment or beyond a particular date.
Note:
By default, CRLs are stored in the /var/netscaler/ssl directory on the Citrix ADC appliance.
Create a CRL on the ADC appliance
Since you can use the ADC appliance to act as a CA and create self-signed certificates, you can also revoke the following certificates:
- Certificates that you have created.
- Certificates whose CA certificate you own.
性能试验设备必须撤销无效的证书ore creating a CRL for those certificates. The appliance stores the serial numbers of revoked certificates in an index file and updates the file each time it revokes a certificate. The index file is automatically created the first time a certificate is revoked.
Revoke a certificate or create a CRL by using the CLI
At the command prompt, type the following command:
create ssl crl (-revoke | -genCRL ) Example:
create ssl crl Cert-CA-1 Key-CA-1 File-Index-1 -revoke Invalid-1 create ssl crl Cert-CA-1 Key-CA-1 File-Index-1 -genCRL CRL-1 Revoke a certificate or create a CRL by using the GUI
- Navigate toTraffic Management > SSLand, in the Getting Started group, select CRL Management.
- Enter the certificate details and, in theChoose Operationlist, selectRevoke Certificate, orGenerate CRL.
Add an existing CRL to the ADC
Before you configure the CRL on the Citrix ADC appliance, make sure that the CRL file is stored locally on the Citrix ADC appliance. In an HA setup, the CRL file must be present on both ADC appliances, and the directory path to the file must be the same on both appliances.
Add a CRL on the Citrix ADC by using the CLI
At the command prompt, type the following commands to add a CRL on the Citrix ADC and verify the configuration:
add ssl crl [-inform (DER | PEM)] show ssl crl [] Example:
>添加ssl crl crl-one /var/netscaler/ssl/CRL-one -inform PEM Done > show ssl crl crl-one Name: crl-one Status: Valid, Days to expiration: 29 CRL Path: /var/netscaler/ssl/CRL-one Format: PEM CAcert: samplecertkey Refresh: DISABLED Version: 1 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US,ST=California,L=Santa Clara,O=NetScaler Inc.,OU=SSL Acceleration,CN=www.ns.com/emailAddress=support@Citrix ADC appliance.com Last_update:Jun 15 10:53:53 2010 GMT Next_update:Jul 15 10:53:53 2010 GMT 1) Serial Number: 00 Revocation Date:Jun 15 10:51:16 2010 GMT Done Add a CRL on the Citrix ADC by using the GUI
Navigate toTraffic Management>SSL>CRL, and add a CRL.
Configure CRL refresh parameters
A CRL is generated and published by a Certificate Authority periodically or, sometimes, immediately after a particular certificate is revoked. Citrix recommends that you update CRLs on the Citrix ADC appliance regularly, for protection against clients trying to connect with certificates that are not valid.
The Citrix ADC appliance can refresh CRLs from a web location or an LDAP directory. When you specify refresh parameters and a web location or an LDAP server, the CRL does not have to be present on the local hard disk drive at the time you run the command. The first refresh stores a copy on the local hard disk drive, in the path specified by the CRL File parameter. The default path for storing the CRL is /var/netscaler/ssl.
Note: In release 10.0 and later, the method for refreshing a CRL is not included by default. Specify an HTTP or LDAP method. If you are upgrading from an earlier release to release 10.0 or later, you must add a method and run the command again.
Configure CRL autorefresh by using the CLI
At the command prompt, type the following commands to configure CRL auto refresh and verify the configuration:
set ssl crl [-refresh ( ENABLED | DISABLED )] [-CAcert ] [-server | -url ] [-method ( HTTP | LDAP )] [-port ] [-baseDN ] [-scope ( Base | One )] [-interval ] [-day ] [-time ][-bindDN ] {-password } [-binary ( YES | NO )] show ssl crl [] Example:
设置CRL crl1刷新方法启用ldap通知DER -CAcert ca1 -server 10.102.192.192 -port 389 -scope base -baseDN "cn=clnt_rsa4_multicert_der,ou=eng,o=ns,c=in" -time 00:01 set ssl crl crl1 -refresh enabled -method http -cacert ca1 -port 80 -time 00:10 -url http://10.102.192.192/crl/ca1.crl > sh crl 1) Name: crl1 Status: Valid, Days to expiration: 355 CRL Path: /var/netscaler/ssl/crl1 Format: PEM CAcert: ca1 Refresh: ENABLED Method: HTTP URL: http://10.102.192.192/crl/ca1.crl Port:80 Refresh Time: 00:10 Last Update: Successful, Date:Tue Jul 6 14:38:13 2010 Done Configure CRL autorefresh using LDAP or HTTP by using the GUI
- Navigate toTraffic Management > SSL > CRL.
- Open a CRL, and selectEnable CRL Auto Refresh.
Note
If the new CRL has been refreshed in the external repository before its actual update time as specified by theLast Update timefield of the CRL, you must do the following:
Immediately refresh the CRL on the Citrix ADC appliance.
To view the last update time, select the CRL, and clickDetails.
Synchronize CRLs
The Citrix ADC appliance uses the most recently distributed CRL to prevent clients with revoked certificates from accessing secure resources.
If CRLs are updated often, the Citrix ADC appliance needs an automated mechanism to fetch the latest CRLs from the repository. You can configure the appliance to update CRLs automatically at a specified refresh interval.
The appliance maintains an internal list of CRLs that need to be updated at regular intervals. At these specified intervals, the appliance scans the list for CRLs that need to be updated. It then connects to the remote LDAP server or HTTP server, retrieves the latest CRLs, and then updates the local CRL list with the new CRLs.
Note:
If the CRL check is set to mandatory when the CA certificate is bound to the virtual server, and the initial CRL refresh fails, the following action is taken for connections:
All client-authentication connections with the same issuer as the CRL are rejected as REVOKED until the CRL is successfully refreshed.
You can specify the interval at which the CRL refresh must be carried out. You can also specify the exact time.
Synchronize CRL autorefresh by using the CLI
At the command prompt, type the following command:
set ssl crl [-interval ] [-day ] [-time ] Example:
set ssl crl CRL-1 -refresh ENABLE -interval MONTHLY -days 10 -time 12:00 Synchronize CRL refresh by using the GUI
- Navigate toTraffic Management > SSL > CRL.
- Open a CRL, selectenable CRL Auto Refresh, and specify the interval.
Perform client authentication by using a certificate revocation list
If a certificate revocation list (CRL) is present on a Citrix ADC appliance, a CRL check is performed regardless of whether performing the CRL check is set to mandatory or optional.
The success or failure of a handshake depends on a combination of the following factors:
- Rule for CRL check
- Rule for client certificate check
- State of the CRL configured for the CA certificate
The following table lists the results of the possible combinations for a handshake involving a revoked certificate.
Table 1. Result of a Handshake with a Client Using a Revoked Certificate
| Rule for CRL Check | Rule for Client Certificate Check | State of the CRL Configured for the CA certificate | Result of a Handshake with a Revoked Certificate |
|---|---|---|---|
| Optional | Optional | Missing | Success |
| Optional | Mandatory | Missing | Success |
| Optional | Mandatory | Present | Failure |
| Mandatory | Optional | Missing | Success |
| Mandatory | Mandatory | Missing | Failure |
| Mandatory | Optional | Present | Success |
| Mandatory | Mandatory | Present | Failure |
| Optional/Mandatory | Optional | Expired | Success |
| Optional/Mandatory | Mandatory | Expired | Failure |
Note:
The CRL check is optional by default. To change from optional to mandatory or conversely, you must first unbind the certificate from the SSL virtual server, and then bind it again after changing the option.
In the output of the
sh ssl vservercommand, OCSP check: optional implies that a CRL check is also optional. The CRL check settings are displayed in the output of thesh ssl vservercommand only if the CRL check is set to mandatory. If the CRL check is set to optional, the CRL check details do not appear.
To configure CRL check by using the CLI
At the command prompt, type the following command:
bind ssl vserver -certkeyName [(-CA -crlCheck ( Mandatory | Optional ))] sh ssl vserver Example:
bind ssl vs v1 -certkeyName ca -CA -crlCheck mandatory > sh ssl vs v1 Advanced SSL configuration for VServer v1: DH: DISABLED DH Private-Key Exponent Size Limit: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 120 seconds Cipher Redirect: DISABLED SSLv2 Redirect: DISABLED ClearText Port: 0 Client Auth: ENABLED Client Cert Required: Mandatory SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED SNI: DISABLED OCSP Stapling: DISABLED HSTS: DISABLED HSTS IncludeSubDomains: NO HSTS Max-Age: 0 SSLv2: DISABLED SSLv3: ENABLED TLSv1.0: ENABLED TLSv1.1: ENABLED TLSv1.2: ENABLED Push Encryption Trigger: Always Send Close-Notify: YES ECC Curve: P_256, P_384, P_224, P_521 1) CertKey Name: ca CA Certificate CRLCheck: Mandatory CA_Name Sent 1) Cipher Name: DEFAULT Description: Predefined Cipher Alias Done Configure CRL check by using the GUI
- Navigate toTraffic Management > Load Balancing > Virtual Servers, and open an SSL virtual server.
- Click in theCertificatessection.
- Select a certificate and, in theOCSP and CRL Checklist, selectCRL Mandatory.
Result of a handshake with a revoked or valid certificate
| Rule for CRL check | Rule for client certificate check | State of the CRL configured for the CA certificate | Result of a handshake with a revoked certificate | Result of a handshake with a valid certificate |
|---|---|---|---|---|
| Mandatory | Mandatory | Present | Failure | Success |
| Mandatory | Mandatory | Expired | Failure | Failure |
| Mandatory | Mandatory | Missing | Failure | Failure |
| Mandatory | Mandatory | Undefined | Failure | Failure |
| Optional | Mandatory | Present | Failure | Success |
| Optional | Mandatory | Expired | Success | Success |
| Optional | Mandatory | Missing | Success | Success |
| Optional | Mandatory | Undefined | Success | Success |
| Mandatory | Optional | Present | Success | Success |
| Mandatory | Optional | Expired | Success | Success |
| Mandatory | Optional | Missing | Success | Success |
| Mandatory | Optional | Undefined | Success | Success |
| Optional | Optional | Present | Success | Success |
| Optional | Optional | Expired | Success | Success |
| Optional | Optional | Missing | Success | Success |
| Optional | Optional | Undefined | Success | Success |