Univention Bugzilla – Bug 35748
Keep CRL up to date
Last modified: 2016-07-21 15:16:05 CEST
The nextUpdate field within ucsCA CRL is, by default, set to "now + 30 days" when a certificate is revoked. If those 30 days pass without a new revocation the CRL is outdated services that verify the CRL fail. We should update the CRL when it is outdated like: -- #!/bin/bash nextUpdate="$(openssl crl -in /etc/univention/ssl/ucsCA/crl/crl.pem -noout -nextupdate | sed -ne 's/nextUpdate=//p')" if [ $(date -u -d "$nextUpdate" '+%s') -lt $(date -u '+%s') ]; then openssl ca \ -config /etc/univention/ssl/openssl.cnf \ -gencrl -out /etc/univention/ssl/ucsCA/crl/crl.pem \ -passin file:/etc/univention/ssl/password openssl crl \ -in /etc/univention/ssl/ucsCA/crl/crl.pem \ -out /etc/univention/ssl/ucsCA/crl/ucsCA.crl \ -inform pem -outform der cp /etc/univention/ssl/ucsCA/crl/ucsCA.crl /var/www/ fi -- We could for example define @reboot cronjob or init script that defines a AT-job that updates the CRL at $nextUpdate (and afterwards defines a new AT-job at the new $nextUpdate, respectively updates the AT-job if $nextUpdate has changed in between).
FYI: The certificate Baseline Requirements of the CA/Browser Forum define: > the CA SHALL update and reissue CRLs at least once every seven days, > and the value of the "nextUpdate" field MUST NOT be more than ten days > beyond the value of the "thisUpdate" field https://cabforum.org/baseline-requirements-documents/
2015111221000416
Just for completeness: if someone is using the script from comment #0 and wants to reduce the value of "nextUpdate", the script can be extended with the "-crldays" option: -- #!/bin/bash nextUpdate="$(openssl crl -in /etc/univention/ssl/ucsCA/crl/crl.pem -noout -nextupdate | sed -ne 's/nextUpdate=//p')" if [ $(date -u -d "$nextUpdate" '+%s') -lt $(date -u '+%s') ]; then openssl ca \ -config /etc/univention/ssl/openssl.cnf \ -gencrl -out /etc/univention/ssl/ucsCA/crl/crl.pem \ -crldays 7 \ -passin file:/etc/univention/ssl/password openssl crl \ -in /etc/univention/ssl/ucsCA/crl/crl.pem \ -out /etc/univention/ssl/ucsCA/crl/ucsCA.crl \ -inform pem -outform der cp /etc/univention/ssl/ucsCA/crl/ucsCA.crl /var/www/ fi -- Nevertheless, the value for crldays/nextUpdate should be configurable via UCR.
r70576 | Bug #35748 ssl: Re-generate CRL periodically Package: univention-ssl Version: 10.0.0-12.169.201606231402 Branch: ucs_4.1-0 Scope: errata4.1-2 r70577 | Bug #31369,Bug #39257,Bug #24094,Bug #40498,Bug #25285,Bug #35748: ssl YAML univention-ssl.yaml
Code review: OK Tests: OK Advisory: OK
<http://errata.software-univention.de/ucs/4.1/213.html>