Certificate Revocation Lists
From time to time, Certificate Authorities (CAs) issue certificate revocation lists (CRLs). CRLs contain information about certificates that can no longer be trusted. For example, suppose Ann leaves XYZ Corporation. The company can place Ann’s certificate on a CRL to prevent her from signing messages with that key.
Similarly, you can revoke a certificate if a private key is compromised or if that certificate expired and a new one is in use. Before you trust a public key, make sure that the certificate does not appear on a CRL.
NetScaler Gateway supports the following two CRL types:
- CRLs that list the certificates that are revoked or are no longer valid
- Online Certificate Status Protocol (OSCP), an Internet protocol used for obtaining the revocation status of X.509 certificates
To add a CRL
Before you configure the CRL on the NetScaler Gateway appliance, make sure that the CRL file is stored locally on the appliance. In the case of a high availability setup, the CRL file must be present on both NetScaler Gateway appliances, and the directory path to the file must be the same on both appliances.
If you need to refresh the CRL, you can use the following parameters:
- CRL Name: The name of the CRL being added on the NetScaler. Maximum 31 characters.
- CRL File: The name of the CRL file being added on the NetScaler. The NetScaler looks for the CRL file in the /var/netscaler/ssl directory by default. Maximum 63 characters.
- URL: Maximum 127 characters
- Base DN: Maximum 127 characters
- Bind DN: Maximum 127 characters
- Password: Maximum 31 characters
- Day(s): Maximum 31
- In the configuration utility, on the Configuration tab, expand SSL and then click on CRL.
- In the details pane, click Add.
- In the Add CRL dialog box, specify the values for the following:
- CRL Name
- CRL File
- Format (optional)
- CA Certificate (optional)
- Click Create and then click Close. In the CRL details pane, select the CRL that you just configured and verify that the settings that appear at the bottom of the screen are correct.
To configure CRL autorefresh by using LDAP or HTTP in the configuration utility
A CRL is generated and published by a CA periodically or, in some cases, immediately after a particular certificate is revoked. Citrix recommends that you update CRLs on the NetScaler Gateway appliance regularly for protection against clients trying to connect with certificates that are not valid.
The NetScaler Gateway appliance can refresh CRLs from a web location or an LDAP directory. When you specify refresh parameters and a web location or an LDAP server, the CRL does not have to be present on the local hard disk drive at the time you run the command. The first refresh stores a copy on the local hard disk drive, in the path specified by the CRL File parameter. The default path for storing the CRL is /var/netscaler/ssl.
CRL Refresh Parameters
The name of the CRL being refreshed on the NetScaler Gateway.
Enable CRL Auto Refresh
Enable or disable CRL auto refresh.
The certificate of the CA that has issued the CRL. This CA certificate must be installed on the appliance. The NetScaler can update CRLs only from CAs whose certificates are installed on it.
Protocol in which to obtain the CRL refresh from a web server (HTTP) or an LDAP server. Possible Values: HTTP, LDAP. Default: HTTP.
The extent of the search operation on the LDAP server. If the scope specified is Base, the search is at the same level as the base DN. If the scope specified is One, the search extends to one level below the base DN.
The IP address of the LDAP server from which the CRL is retrieved. Select IPv6 to use an IPv6 IP address.
The port number on which the LDAP or the HTTP server communicates.
The URL for the web location from which the CRL is retrieved.
The base DN used by the LDAP server to searchfor the CRL attribute. Note: Citrix recommends using the base DN attribute instead of the Issuer-Name from the CA certificate to search for the CRL in the LDAP server. The Issuer-Name field may not exactly match the LDAP directory structure’s DN.
The bind DN attribute used to access the CRL object in the LDAP repository. The bind DN attributes are the administrator credentials for the LDAP server. Configure this parameter to restrict unauthorized access to the LDAP servers.
The administrator password used to access the CRL object in the LDAP repository. This is required if the access to the LDAP repository is restricted, that is, anonymous access is not allowed.
The interval at which the CRL refresh should be carried out. For an instantaneous CRL refresh, specify the interval as NOW. Possible values: MONTHLY, DAILY, WEEKLY, NOW, NONE.
The day on which CRL refresh should be performed. The option is not available if interval is set to DAILY.
The exact time in 24-hour format when the CRL refresh should be performed.
Set the LDAP-based CRL retrieval mode to binary. Possible values: YES, NO. Default: NO.
- In the navigation pane, expand SSL and then click CRL.
- Select the configured CRL for which you want to update refresh parameters and then click Open.
- Select the Enable CRL Auto Refresh option.
- In the CRL Auto Refresh Parameters group, specify values for the following parameters:
Note: An asterisk (*) indicates a required parameter.
- Server IP
- Base DN*
- Bind DN
- Click Create. In the CRL pane, select the CRL that you just configured and verify that the settings that appear at the bottom of the screen are correct.