How to Configure CRL Auto Refresh Feature of NetScaler Appliance
Article ID: CTX127218
Updated On:
Description
This article contains information about configuring the Certificate Revocation List (CRL) Auto Refresh feature on a NetScaler appliance or Access Gateway Enterprise Edition.
Background
A certificate that Certificate Authority (CA) issues is valid until the expiry date of the certificate. However, the CA can cancel the issued certificate before the expiry date of the certificate in any of the following scenarios:
- When the private key of an owner is compromised
- When the name of a company or individual changes
- When the association between the subject and the CA changes
The CA releases a CRL that contains a list of invalid certificates along with the serial number and issuer of the certificates. CRLs are important for the client authentication process. In the absence of a CRL, the client certificates that are canceled before the expiry date, pass the authentication check. The CA issues the CRLs at regular intervals.
You can configure the NetScaler appliance to use a CRL to block client requests that has the invalid certificates.
Instructions
To configure a new CRL on a NetScaler appliance with CRL refresh parameters, complete any of the following procedures:
Configuring the CRL Auto Refresh Feature using an LDAP Server
When you specify the CRL refresh parameters and a Lightweight Directory Access Protocol (LDAP) server, the CRL need not be present on the local hard disk when you run the command. The first CRL refresh stores a copy of the CRL on the local hard disk drive in the directory path specified in the CRL File parameter. The default path for storing a CRL on the NetScaler appliance is /var/netscaler/ssl.
To configure the CRL Auto Refresh feature on the NetScaler appliance using an LDAP server, complete the following procedure:
-
Expand the SSL node.
-
Select the CRL node.
-
Select the required CRL.
-
Click Open.
-
Select the Enable CRL Auto Refresh option.
-
From the Method list, select LDAP.
-
Type the server IP address in the Server IP field.
-
Type the port number in the Port field.
-
Type the path to the CRL file in the Base DN field, as shown in the following screen shot. The value of the Base DN must be limited to a maximum length of 127.
-
From the Interval list, select Daily.
-
Click Create.
To configure the CRL from the command line interface of the appliance, run the following command:
add ssl crl DesiredCRLNameHere DesiredCRLFilename.crl -inform DER -refresh ENABLED -CAcert MyCAsRootCertificatehere -server 192.168.1.101 -port 389 -baseDN "<BASE_DN_HERE>" -interval DAILY -time 00:00 -bindDN username@test.ctx -password mypwd
Configuring the CRL Auto Refresh Feature using an HTTP URL
To configure the CRL Auto refresh feature of the NetScaler appliance using an HTTP URL, complete the following procedure:
-
Expand the SSL node.
-
Select the CRL node.
-
Select the required CRL.
-
Click Open.
-
Select the Enable CRL Auto Refresh option.
-
From the Method list, select HTTP.
-
Type the port number in the Port field.
-
Type the URL of the CRL file in the URL field, as shown in the following screen shot. The URL for the CRL Distribution Point must be limited to a maximum length of 127.
-
From the Interval list, select Daily.
-
Click Create.
To configure the CRL from the command line interface of the appliance, run the following command:
add ssl crl DesiredCRLName Desired_CRL_Filename.crl -inform DER -refresh ENABLED -CAcert MyCAsRootCertificatehere -method HTTP -url "http://myCRLurlhere/mycrl.crl
Troubleshooting the Connectivity Issue to the CRL Distribution Point
To troubleshoot the connectivity issue to the CRL Distribution Point, complete the following procedure:
-
Refresh the Configuration utility of the NetScaler appliance or run the show crl command from the command line interface.
-
If an error is displayed, ensure that the required ports are opened from the NetScaler IP address to the backend resource server.
-
If the ports are opened and traffic is reaching the CRL Distribution Point, verify if valid URL or LDAP parameters are defined. You can verify the LDAP parameters or URL using OpenSSL and a client certificate. The following is a sample verification of a valid URL:
openssl x509 -in userclientcert.pem -noout –text (abridged output) X509v3 CRL Distribution Points: URI:ldap:///CN=DC1,CN=dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=EXAMPLE,DC=CTX?certificateRevocationList?base?objectClass=cRLDistributionPoint URI:http://DC1.EXAMPLE.CTX/CertEnroll/DC1.crl
-
If the LDAP parameters or URL is valid, perform an ldapsearch.
The ldapsearch command-line utility opens a connection to an LDAP server, binds the connection to the server, and performs a search to test the connection using a filter. The results are displayed in the LDAP Data Interchange Format (LDIF).
If there is any issue with the parameters, the utility displays an error message that can help you troubleshoot issues with various variables, such as scope and base DN. To run the ldapsearch utility, run the following commands from the command line interface of the NetScaler appliance:
shell ldapsearch -h <IP_address_of_LDAP_server> -p <Port_on_LDAP_server> -s <Scope_Defined> -b <Base_DN_for_Search> -D username@example.ctx –w <Password>
For further assistance on troubleshooting this issue, send the output of ldapsearch and the network trace file to Citrix Technical Support.
Issue/Introduction
Additional Information
-
Citrix Documentation - Managing Certificate Revocation Lists
-
For more information about other options of the ldapsearch utility, refer to any of the following webpages:
ldapsearch: LDAP Shell Commands
IBM Lotus Domino and Notes Information Center
ldapsearch(1): LDAP search tool - Linux man page
