matt4 Trusted Contributor.
Trusted Contributor.
310 views

Question Regarding CRL

I recently had to recreate a CA in an eDir 9.1.3 tree as it had been 10 years and it expired.

I am using certs issued from this CA for some internal web sites that are proxied by Access Manager.

I noticed now with the new certs that NAM is trying to check the revocation status of the cert, which is a good thing.

However, it is using the ldap: URI to do the check, not the http: URI (both are configured as default distribution points in the CRL object).

I have ldap configured to require TLS, so 389 is not allowed, hence, NAM cannot connect and verify the validity of the cert.

My question is, can I just delete the ldap: URI from the CRL Distribution Points and just leave the http: ones in there? Will I break anything? Or do I have to allow LDAP 389 for this? And if I do, is there a way to lock down LDAP so the cleartext URI is only valid for CRL checking?

And if I modify the CRL distribution points, do I have to reissue certs? Or re-distribute the trusted root?

Thanks.

Matt
Labels (1)
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: Question Regarding CRL

matt <matt@no-mx.forums.microfocus.com> wrote:
>
> And if I modify the CRL distribution points, do I have to reissue certs?

Or re-distribute the trusted root?
>
> Thanks.
>


Pretty sure you have to reissue the certs after you clean up the CRL.



Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Question Regarding CRL

On 2019-03-18 16:04, matt wrote:
> My question is, can I just delete the ldap: URI from the CRL
> Distribution Points and just leave the http: ones in there? Will I
> break anything?


Only if your clients don't support http for CRL retrieval. Of if there
is a firewall in between blocking such connections.

> Or do I have to allow LDAP 389 for this? And if I do,
> is there a way to lock down LDAP so the cleartext URI is only valid for
> CRL checking?


In eDirectory, you cannot set ACLs on the security strength factor of a
session.

> And if I modify the CRL distribution points, do I have to reissue certs?
> Or re-distribute the trusted root?


Clients read the CRL distribution points for an extension in the server
certificate. So, yes, you'll have to reissue the certs.

--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question Regarding CRL

On 03/18/2019 09:04 AM, matt wrote:
>
> I recently had to recreate a CA in an eDir 9.1.3 tree as it had been 10
> years and it expired.


It happens.

> I am using certs issued from this CA for some internal web sites that
> are proxied by Access Manager.
>
> I noticed now with the new certs that NAM is trying to check the
> revocation status of the cert, which is a good thing.


Yes, the ability to handle situations which require revocation is a good
thing, and NAM's support of that is also nice.

> However, it is using the ldap: URI to do the check, not the http: URI
> (both are configured as default distribution points in the CRL object).


If you prevent access to the LDAP URI I would bet hat NAM will try the
HTTP one in short order. An important point with regard to this is
blocking it so that a RST packet is sent back to the source so it will
immediately move on to the next URI rather than needing to timeout while
waiting fo a never-to-be-received response, which will take the better
part of a minute. This may happen but rarely, but it's still best to
avoid that timeout.

> I have ldap configured to require TLS, so 389 is not allowed, hence, NAM
> cannot connect and verify the validity of the cert.


You could likely make this work another way, e.g. by allowing TCP 389 in
general on the eDirectory side, and then only allowing access to that
socket from the NAM systems. In that case you would not need to worry
about the HTTP option since NAM could do LDAP and be just fine, while not
other clients could reach TCP 389 due to the firewall restriction.

> My question is, can I just delete the ldap: URI from the CRL
> Distribution Points and just leave the http: ones in there? Will I
> break anything? Or do I have to allow LDAP 389 for this? And if I do,
> is there a way to lock down LDAP so the cleartext URI is only valid for
> CRL checking?


See above.

> And if I modify the CRL distribution points, do I have to reissue certs?
> Or re-distribute the trusted root?


The existing certs will still work, but unless the CRL can be reached
there may be timeouts, or failures, or success when there should be failures.

At the end of the day, CRLs are largely deprecated outside of special use
cases because they do not scale well. Technologies like OCSP replace CRLs
directly, but that requires the CA to support OCSP, which is not always
the case (e.g. eDirectory does not support OCSP).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.