Revoke certificate of an Icinga endpoint

by | Mar 17, 2021

A Certificate Revocation List (CRL) is a list of certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date. Those certificates should no longer be trusted. A client application such as an Icinga Agent can use a CRL to verify that the certificate of the server is valid and trusted. When an Icinga endpoint connects to it‘s master, the Certificate (CRT) of the endpoint is checked for anomalies or problems and this process includes verifying that the CRT is not on a CRL to deny access when the CRT is no longer trusted.

Prepare custom openssl configuration!

I have prepared a configuration file for openssl where I commented each line as best as I could.

# Since we are going to use th ca command we have ca as a default section
[ ca ]
default_ca              = CA_default

[ CA_default ]

# The absolute path where the new certificates should be stored
dir                     = /Users/yhabteab/openssl
# This is the database of signed certificates.
database                = $dir/index.txt
# Specifies the directory where new certificates will be saved
new_certs_dir           = $dir/newcerts

# The file containing the Icinga CA certificate
certificate             = /var/lib/icinga2/ca/ca.crt
# A text file containing the next serial number to use in hex.
serial                  = $dir/serial
# The file containing the Icinga CA private key.
private_key             = /var/lib/icinga2/ca/ca.key
# This is a random file to read/write random data to/from
RANDFILE                = $dir/private/.rand

# For how many days will the certificate be valid
default_days    = 365
# For how many days will the certificate be revoked
# default_crl_days            = 30
# For how many hours will the certificate be revoked
# The minimum amount of time a certificate can be revoked is one hour.
default_crl_hours       = 1
# The message digest algorithm
default_md              = md5

# A section with a set of variables corresponding to DN fields
policy                  = policy_any
# Whether an email address have to be mandatory in the DN
email_in_dn             = no

# These sections define the way the name and certificate info are displayed to you
name_opt                = ca_default
cert_opt                = ca_default
# Don't allow to copy extensions
copy_extensions         = none

# The location where the CRL will be encode into the certificate
x509_extensions         = extensions_section

[ extensions_section ]
crlDistributionPoints   = /Users/yhabteab/openssl  

# Since we are going to accept anything and only require a CN, we have to define policy_anything
[ policy_any ]
countryName             = supplied
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

Generate the CRL

cd /Users/yhabteab/openssl

openssl ca -config openssl.cnf -gencrl -out satellite.crl

You can check the contents of the CRL using the “crl“ tool. In case no certificates have been revoked yet, the output shows “No Revoked Certificates”.

openssl crl -in satellite.crl -noout -text

Revoke a certificate

Since we are going to revoke an existing certificate from an Icinga endpoint we don’t need to generate a new one. As we specified the Icinga CA public and private key in the configuration file above we do not need to specify keys when running the following command. Besides, the config parameter allows you to apply your own openssl configuration and not the default one.

openssl ca -config openssl.conf -revoke /path/to/icinga2/certs/satellite.crt

After each revoked certificate we also have to update the CRL afterwards, otherwise it does not notice that a certificate is already revoked.

openssl ca -config openssl.cnf -gencrl -out satellite.crl

However, if you now check the contents of the CRL as above, the output will no longer be “No Revoked Certificates“ but will look like this. In your case the certificate will of course have a different serial number but the structure is exactly the same.

Certificate Revocation List (CRL):
        Version 1 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: CN = Icinga CA
        Last Update: Mar 16 09:14:23 2021 GMT
        Next Update: Mar 16 10:14:23 2021 GMT
Revoked Certificates:
    Serial Number: A35C5B451C1C61C938C0935B6C8CCEDE4B08739A
        Revocation Date: Mar 15 22:24:19 2021 GMT
    Serial Number: C1624AD7C223D3647BCC98359AE301F029F2C5FD
        Revocation Date: Mar 15 20:37:39 2021 GMT
[...]

Before starting the master, we need to configure the CRL path in “/etc/icinga2/feature-enabled/api.conf“ in the master.

object ApiListener "api" {

  ticket_salt = TicketSalt

  crl_path = "/Users/yhabteab/satellite.crl"
}

Now when you start both Icinga endpoints, the master must log the following error message cause the other endpoint is no longer being trusted.

information/ApiListener: New client connection for identity 'satellite' from [127.0.0.1]:52452 (certificate validation failed: code 23: certificate revoked)
information/JsonRpcConnection: Received certificate request for CN 'satellite' not signed by our CA: certificate revoked (code 23)
information/JsonRpcConnection: Certificate request for CN 'satellite' is pending. Waiting for approval.
warning/JsonRpcConnection: API client disconnected for identity 'satellite'

Conclusion

Since Icinga does not support Online Certificate Status Protocol (OCSP) so far, the CRL has to be maintained manually. If you don’t properly manage the list yourself, the file can grow quite large over time, making it inefficient for use on devices with limited memory. Each time a new connection is established, Icinga parses the entire list to determine whether or not the requested certificate is revoked. Depending on the size of the file, this process can cause latency and poor performance.

You May Also Like…

Subscribe to our Newsletter

A monthly digest of the latest Icinga news, releases, articles and community topics.