A Certificate Revocation List (CRL) is a list of certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. Those certificates should no longer be trusted. A client application such as an Icinga Agent can use a CRL to verify that the certificate of the server is valid and trusted. When an Icinga endpoint connects to it‘s master, the Certificate (CRT) of the endpoint is checked for anomalies or problems and this process includes verifying that the CRT is not on a CRL to deny access when the CRT is no longer trusted.
Prepare custom openssl configuration!
I have prepared a configuration file for openssl where I commented each line as best as I could.
# Since we are going to use th ca command we have ca as a default section [ ca ] default_ca = CA_default [ CA_default ] # The absolute path where the new certificates should be stored dir = /Users/yhabteab/openssl # This is the database of signed certificates. database = $dir/index.txt # Specifies the directory where new certificates will be saved new_certs_dir = $dir/newcerts # The file containing the Icinga CA certificate certificate = /var/lib/icinga2/ca/ca.crt # A text file containing the next serial number to use in hex. serial = $dir/serial # The file containing the Icinga CA private key. private_key = /var/lib/icinga2/ca/ca.key # This is a random file to read/write random data to/from RANDFILE = $dir/private/.rand # For how many days will the certificate be valid default_days = 365 # For how many days will the certificate be revoked # default_crl_days = 30 # For how many hours will the certificate be revoked # The minimum amount of time a certificate can be revoked is one hour. default_crl_hours = 1 # The message digest algorithm default_md = md5 # A section with a set of variables corresponding to DN fields policy = policy_any # Whether an email address have to be mandatory in the DN email_in_dn = no # These sections define the way the name and certificate info are displayed to you name_opt = ca_default cert_opt = ca_default # Don't allow to copy extensions copy_extensions = none # The location where the CRL will be encode into the certificate x509_extensions = extensions_section [ extensions_section ] crlDistributionPoints = /Users/yhabteab/openssl # Since we are going to accept anything and only require a CN, we have to define policy_anything [ policy_any ] countryName = supplied stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
Generate the CRL
cd /Users/yhabteab/openssl openssl ca -config openssl.cnf -gencrl -out satellite.crl
You can check the contents of the CRL using the “crl“ tool. In case no certificates have been revoked yet, the output shows “No Revoked Certificates”.
openssl crl -in satellite.crl -noout -text
Revoke a certificate
Since we are going to revoke an existing certificate from an Icinga endpoint we don’t need to generate a new one. As we specified the Icinga CA public and private key in the configuration file above we do not need to specify keys when running the following command. Besides, the config parameter allows you to apply your own openssl configuration and not the default one.
openssl ca -config openssl.conf -revoke /path/to/icinga2/certs/satellite.crt
After each revoked certificate we also have to update the CRL afterwards, otherwise it does not notice that a certificate is already revoked.
openssl ca -config openssl.cnf -gencrl -out satellite.crl
However, if you now check the contents of the CRL as above, the output will no longer be “No Revoked Certificates“ but will look like this. In your case the certificate will of course have a different serial number but the structure is exactly the same.
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN = Icinga CA
Last Update: Mar 16 09:14:23 2021 GMT
Next Update: Mar 16 10:14:23 2021 GMT
Revoked Certificates:
Serial Number: A35C5B451C1C61C938C0935B6C8CCEDE4B08739A
Revocation Date: Mar 15 22:24:19 2021 GMT
Serial Number: C1624AD7C223D3647BCC98359AE301F029F2C5FD
Revocation Date: Mar 15 20:37:39 2021 GMT
[...]
Before starting the master, we need to configure the CRL path in “/etc/icinga2/feature-enabled/api.conf“ in the master.
object ApiListener "api" {
ticket_salt = TicketSalt
crl_path = "/Users/yhabteab/satellite.crl"
}
Now when you start both Icinga endpoints, the master must log the following error message cause the other endpoint is no longer being trusted.
information/ApiListener: New client connection for identity 'satellite' from [127.0.0.1]:52452 (certificate validation failed: code 23: certificate revoked) information/JsonRpcConnection: Received certificate request for CN 'satellite' not signed by our CA: certificate revoked (code 23) information/JsonRpcConnection: Certificate request for CN 'satellite' is pending. Waiting for approval. warning/JsonRpcConnection: API client disconnected for identity 'satellite'
Conclusion
Since Icinga does not support Online Certificate Status Protocol (OCSP) so far, the CRL has to be maintained manually. If you don’t properly manage the list yourself, the file can grow quite large over time, making it inefficient for use on devices with limited memory. Each time a new connection is established, Icinga parses the entire list to determine whether or not the requested certificate is revoked. Depending on the size of the file, this process can cause latency and poor performance.
