Automatic CRL Handling

Certificate Revocation List (CRL) associated with a CA certificate typically gets expired on a weekly or monthly interval. When you receive the CRL expiration alert, manually upload the new CRL to HPE OneView. You can configure HPE OneView 5.2 and later versions and automatically download CRLs. When the Automatic CRL downloading setting is enabled, a scheduled automatic CRL downloader on the appliance checks the validity of all the CRLs that are available in the appliance, and updates the CRLs that have expired or are about to expire. The downloader also downloads new CRLs during this process if the CRLs were not previously downloaded. The scheduled time for running the job is set to 12AM UTC. The appliance checks for CRLs every day that are about to expire. If any of the CRLs are about to expire in three days, the appliance downloads the latest available CRL. This prevents the expiration of CRLs on the appliance. You can configure the schedule for downloading the latest available CRLs using a global setting variable global.daysBeforeToTriggerCRLDownload using the REST API /rest/certificates/validator-configuration. If there is a failure during the CRL download, the appliance retries the operation three times before raising an alert.

NOTE:

Irrespective of the number of days before the download is triggered, the CRL infrastructure has a potential lag. When a CA uploads a new CRL, the CA does not have the capability to inform about the update. Due to this lag in the CRL infrastructure, a new revoked certificate will not be picked up until next refresh. This is not an HPE OneView specific issue rather a limitation with the CRL ecosystem.

If the scheduled run for a specific day is missed due to reasons such as the appliance is down on the scheduled day, HPE OneView will initiate the CRL downloader post reboot.

The CRL DP information for a CA certificate is available only in a certificate that is signed by that CA. This CRL DP information is extracted from a CA-signed certificate by the appliance whenever a CA-signed certificate is read by the appliance. This can be either when a CA-signed certificate is imported into the appliance or when a CA-signed certificate is encountered during a TLS communication with a managed device or external server. Once the CRL DP information for a CA certificate is available with the appliance, CRL is asynchronously downloaded from the CRL DP URL and is associated with the CA certificate in the appliance.

Strict revocation checks for a CA-signed certificate can be performed only after the CRL for the CA (intermediate or root) that signed the certificate is downloaded to the appliance.

You can configure HPE OneView to automatically download CRLs for certificates by enabling the Automatic CRL download option in the Settings > Security> Actions > Edit > Certificate page.

NOTE:

To download all the CRLs of any certificate chain, the complete CA certificate chain (Root CA and all the intermediate CAs) must be uploaded to the appliance.

HPE OneView downloads CRLs during the following events:

  • Importing a certificate

    • When a certificate chain is imported, CRLs are downloaded while saving the CA certificate chain to the appliance.

    • When an incomplete certificate chain import is attempted while having the Root CA in the appliance, the CRLs are downloaded while saving the CA certificate chain to the appliance. The CRLs are downloaded depending upon the availability of the Root CA in the appliance.

  • First-time communication

    When a connection is established from HPE OneView to a managed device or an external server that has a CA-signed certificate for the first time, the certificate chain that is presented to HPE OneView during the communication is checked for the CRL DP information and the availability of CRLs in the appliance. During verification, If the CRLs are not found in the appliance, the corresponding CRLs are scheduled for downloading.
    NOTE:

    • During the first communication with a managed device, if the CRL is not available, the certificate revocation check is not performed. The CRLs are downloaded asynchronously after the first communication and the revocation checks are performed during subsequent communication.

    • Revocation check on any certificate in the appliance is based on the availability of the CRL corresponding to the issuer CA of that certificate and the revocation checking settings configured by you.

    • When a RabbitMQ client holding an external CA-signed certificate communicates with the appliance, ensure that you manually add the CRLs associated with the issuer CA chain of the client certificate to HPE OneView. HPE OneView does not download the CRLs automatically during this communication with the RabbitMQ client.

  • Appliance reboot

    If the appliance is down for more than a day and is rebooted, some of the CRLs might get expired in this duration. When the Automatic CRL downloading setting is enabled, the expired CRLs are updated after 90 minutes of the appliance reboot. If you have enabled the certificate revocation check option and if the appliance communicates with a managed device or any external server during this 90 minutes, certificate revocation checks are temporarily disabled. The temporary disabling of the revocation checks is done for CA certificates that have expired CRLs in the appliance. For the CAs whose CRLs are valid, revocation checks are performed.

    • Backup and restore

      When you take the appliance backup and restore it, some of the CRLs might get expired in this duration. When the Automatic CRL downloading option is enabled, the expired CRLs are updated after 90 minutes from the time the appliance is restored. If you have enabled the certificate revocation check option and if the appliance communicates with a managed device or any external server during this 90 minutes, certificate revocation checks are temporarily disabled. The temporary disabling of the revocation checks is done for CA certificates that have expired CRLs in the appliance.

      NOTE: You can retain the strict revocation policies defined in the appliance using a global setting variable retain-expired-crl-revocation-policy = true using the REST API /rest/global-settings. If the retain-expired-crl-revocation-policy is set to true prior to appliance reboot, strict revocation policies, if enabled by the user previously, are retained and the revocation check is performed during the 90 minutes duration.

  • Appliance upgrade

    If the appliance is upgraded to HPE OneView 5.2 or later versions, after the reboot and once the automatic CRL download option is enabled, the CRLs that were uploaded manually in the previous releases are validated. If the CRLs have expired or are about to expire, the latest available CRLs are downloaded and updated in the appliance.

NOTE:

  • You can also manually upload a CRL for a CA to HPE OneView by locating the CRL DP information from any certificate signed by that CA. For more information on locating CRL DPs and uploading CRLs, see Locate CRL distribution points. When the Automatic CRL downloading setting is not enabled, you can also use an off-appliance solution that runs outside the appliance to download the CRLs using a script. For more information, see https://github.com/HewlettPackard/oneview-python-samples/tree/master/crl_helper. Do not use the off-appliance script when the Automatic CRL downloading setting is enabled.

  • You also need proxy settings if you use a CA-issued certificate where the CA is external (for example, DigiCert). The CRLs are hosted by the CAs and may require a proxy setting to reach the CRLs.

Downloading CRLs through proxy server

For CRL DPs with HTTP/HTTPS protocols, HPE OneView first attempts to download the CRLs using proxy settings. If the connection fails, a direct connection to CRL DPs is attempted. You can configure the HTTP/HTTPS proxy settings in Settings > Proxy screen of the HPE OneView appliance.

For CRL DPs with LDAP/LDAPS protocol, the first attempt to connect to the CRL DPs is through direct connection. If it fails, an attempt is made through socks proxy settings. For socks proxy servers, by default, the same HTTP/HTTPS proxy settings that are configured in the Settings > Proxy screen are used and the port attribute is set to 1080. If the connection fails, you must set up a socks proxy server external to the HPE OneView appliance. Once the socks proxy server is configured, set the following global variables using the REST API /rest/global-settings.

  • socks-proxy-server (IP address or a hostname)

  • socks-proxy-port

  • use-http-proxy-credentials

The socks-proxy-server and socks-proxy-port are the variables that you used while creating the socks proxy server. The attribute use-http-proxy-credentials must be set to true to use the same authentication credentials (username and password) as HTTP/HTTPS proxy server. Set the global variable use-http-proxy-credentials to false, if the socks proxy server (for example, socks V4 proxy) does not require any authentication credentials.
NOTE:

You can download the CRL from a specific CRL DP using the REST API PATCH /rest/certificates/ca and provide the certificate that contains the CRL DP. Ensure that the Issuer CA of this certificate is available in the appliance before using this API.