How to Configure CRL Auto Refresh Feature of NetScaler Appliance

How to Configure CRL Auto Refresh Feature of NetScaler Appliance

book

Article ID: CTX127218

calendar_today

Updated On:

Description

This article contains information about configuring the Certificate Revocation List (CRL) Auto Refresh feature on a NetScaler appliance or Access Gateway Enterprise Edition.

Background

A certificate that Certificate Authority (CA) issues is valid until the expiry date of the certificate. However, the CA can cancel the issued certificate before the expiry date of the certificate in any of the following scenarios:

  • When the private key of an owner is compromised
  • When the name of a company or individual changes
  • When the association between the subject and the CA changes

    The CA releases a CRL that contains a list of invalid certificates along with the serial number and issuer of the certificates. CRLs are important for the client authentication process. In the absence of a CRL, the client certificates that are canceled before the expiry date, pass the authentication check. The CA issues the CRLs at regular intervals.

    You can configure the NetScaler appliance to use a CRL to block client requests that has the invalid certificates.


    Instructions

    To configure a new CRL on a NetScaler appliance with CRL refresh parameters, complete any of the following procedures:

      Configuring the CRL Auto Refresh Feature using an LDAP Server

      When you specify the CRL refresh parameters and a Lightweight Directory Access Protocol (LDAP) server, the CRL need not be present on the local hard disk when you run the command. The first CRL refresh stores a copy of the CRL on the local hard disk drive in the directory path specified in the CRL File parameter. The default path for storing a CRL on the NetScaler appliance is /var/netscaler/ssl.

      To configure the CRL Auto Refresh feature on the NetScaler appliance using an LDAP server, complete the following procedure:

      1. Expand the SSL node.

      2. Select the CRL node.

      3. Select the required CRL.

      4. Click Open.

      5. Select the Enable CRL Auto Refresh option.

      6. From the Method list, select LDAP.

      7. Type the server IP address in the Server IP field.

      8. Type the port number in the Port field.

      9. Type the path to the CRL file in the Base DN field, as shown in the following screen shot. The value of the Base DN must be limited to a maximum length of 127.

        User-added image

      10. From the Interval list, select Daily.

      11. Click Create.

      If the new CRL is refreshed in the external repository before its actual update time, as specified in the LastUpdate field of the CRL, you must immediately refresh the CRL on the NetScaler appliance.

      To configure the CRL from the command line interface of the appliance, run the following command:

      add ssl crl DesiredCRLNameHere DesiredCRLFilename.crl -inform DER -refresh ENABLED -CAcert MyCAsRootCertificatehere -server 192.168.1.101 -port 389 -baseDN "<BASE_DN_HERE>" -interval DAILY -time 00:00 -bindDN username@test.ctx -password mypwd

      Configuring the CRL Auto Refresh Feature using an HTTP URL

      To configure the CRL Auto refresh feature of the NetScaler appliance using an HTTP URL, complete the following procedure:

      1. Expand the SSL node.

      2. Select the CRL node.

      3. Select the required CRL.

      4. Click Open.

      5. Select the Enable CRL Auto Refresh option.

      6. From the Method list, select HTTP.

      7. Type the port number in the Port field.

      8. Type the URL of the CRL file in the URL field, as shown in the following screen shot. The URL for the CRL Distribution Point must be limited to a maximum length of 127.

        User-added image

      9. From the Interval list, select Daily.

      10. Click Create.

      If the new CRL is refreshed in the external repository before its actual update time, as specified in the LastUpdate field of the CRL, you must immediately refresh the CRL on the NetScaler appliance.

      To configure the CRL from the command line interface of the appliance, run the following command:

      add ssl crl DesiredCRLName Desired_CRL_Filename.crl -inform DER -refresh ENABLED -CAcert MyCAsRootCertificatehere -method HTTP -url "http://myCRLurlhere/mycrl.crl

      Troubleshooting the Connectivity Issue to the CRL Distribution Point

      To troubleshoot the connectivity issue to the CRL Distribution Point, complete the following procedure:

      1. Refresh the Configuration utility of the NetScaler appliance or run the show crl command from the command line interface.

      2. If an error is displayed, ensure that the required ports are opened from the NetScaler IP address to the backend resource server.

      3. If the ports are opened and traffic is reaching the CRL Distribution Point, verify if valid URL or LDAP parameters are defined. You can verify the LDAP parameters or URL using OpenSSL and a client certificate. The following is a sample verification of a valid URL:

        openssl x509 -in userclientcert.pem -noout –text
        (abridged output)
        X509v3 CRL Distribution Points:
        URI:ldap:///CN=DC1,CN=dc1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=EXAMPLE,DC=CTX?certificateRevocationList?base?objectClass=cRLDistributionPoint
        URI:http://DC1.EXAMPLE.CTX/CertEnroll/DC1.crl
      4. If the LDAP parameters or URL is valid, perform an ldapsearch.

        The ldapsearch command-line utility opens a connection to an LDAP server, binds the connection to the server, and performs a search to test the connection using a filter. The results are displayed in the LDAP Data Interchange Format (LDIF).

        If there is any issue with the parameters, the utility displays an error message that can help you troubleshoot issues with various variables, such as scope and base DN. To run the ldapsearch utility, run the following commands from the command line interface of the NetScaler appliance:

        shell 
        ldapsearch -h <IP_address_of_LDAP_server> -p <Port_on_LDAP_server> -s <Scope_Defined> -b <Base_DN_for_Search> -D username@example.ctx –w <Password>

      For further assistance on troubleshooting this issue, send the output of ldapsearch and the network trace file to Citrix Technical Support.

      Issue/Introduction

      This article explains how to configure the Certificate Revocation List (CRL) Auto Refresh feature on a NetScaler appliance or Access Gateway Enterprise Edition.

      Additional Information