Managing CRLs in an IPsec VPN tunnel

Certification authorities can revoke certificates before their scheduled expiry. This occurs for example when a private key has been compromised or when an administrator leaves the organization. Accepting such certificates would allow an illegal user or firewall to authenticate on the SNS firewall. When the PKI implements CRLs, the SNS firewalls in question can be informed when certificates are revoked. The absence of a CRL does not hinder the setup of an IPsec VPN tunnel, but will simply be reported in the SNS firewall’s logs.

R35 | SNS-SMC | Impose CRL verification
CRL verification should be imposed when implementing IPsec VPN tunnels.

This behavior can be changed by modifying the CRLrequired parameter and restarting the IPsec service. This can be done using the following NSRPC commands:

config ipsec update slot=01 CRLrequired=1
config ipsec activate

This parameter is stored in /Firewall/ConfigFiles/VPN/01/. The IPsec service can be enabled in console mode with the following NSRPC commands:

config slot activate global=0 slot=00 type=vpn
config slot activate global=0 slot=01 type=vpn

When these commands are used, all VPN tunnels will be shut down, and the new VPN policy (01) will be enabled. In both cases, the value of 01 used as an example represents the number of the IPsec policy used.

Retrieved CRLs are stored locally in the folders of their corresponding CAs or delegated CAs and renamed CA.crl.pem.

When the CRLrequired parameter is enabled, you will need to have all the CRLs in the certification chain.

Automatically importing CRLs

Even though a CRL has limited validity, it is important to check regularly whether any certificates have been revoked. The frequency with which the CRL is updated must be adapted to the use of authentication via certificate. If updates are too far apart, the SNS firewall may risk authenticating revoked certificates and allowing illegal access. For example, retrieving the CRL every 6 hours would drastically reduce the amount of time in which a revoked certificate can be used.

R36 | SNS | Adapt the automatic refreshment of CRLs
The refreshment time should be adapted to the desired level of responsiveness. If various services require different durations, the shortest must be used.

By default when the URL of a CRL is added and enabled, files are retrieved every 6 hours. Updates can be forced by using the system checkcrl NSRPC console command. Use system checkcrl help to obtain more details on the subject of the command. The frequency with which CRLs are retrieved via the web administration interface can also be modified.

R37 | SNS-SMC | Configure the CRL retrieval URL and enable automatic retrieval
The automatic CRL retrieval URL should be configured on each CA and this feature enabled in Configuration > System > Configuration on SNS firewalls, by selecting Enable regular retrieval of certificate revocation lists (CRL). On the SMC server, this feature can be configured in Configuration > Certificates > CA name > List of CRL distribution points.

CRL distribution points associated with a CA can be defined either via the web administration interface of the SNS firewall in Configuration > Objects > Certificates and PKI > CA name > Certificate profile, or by using the NSRPC command:

pki ca checkcrl add caname=<nom de l'AC> uri=<URL de la CRL>

The distribution point URL can be in HTTP, HTTPS, LDAP, LDAPS or FTP.

To allow the SNS firewall to resolve the FQDN of the CRL distribution point’s URL, a Host object corresponding to the FQDN must be defined in the firewall’s object database .

Manually importing CRLs

In some cases, automatically importing a CRL may be difficult, or even impossible. This occurs when a VPN tunnel is needed in order to obtain one, and the previous CRL is no longer valid or was never imported. The CRL can then be imported manually. During this operation, the administrator's action is required, and files need to be handled. Strict organizational procedures are therefore necessary and this operation must only be conducted exceptionally.

R37 ⁃ | SNS-SMC | Manually import CRLs
If CRLs cannot be imported automatically, they should be imported manually.

On an SNS firewall, a CRL can be imported manually via the web administration interface in Configuration > Objects > Certificates and PKI > Add > Import a file. The CRL file must be imported in PEM or DER and its name must not contain any extensions. During import, the CRL file will be copied into the folder of the CA with which it is associated, then converted to PEM and renamed CA.crl.pem.

On an SMC server, a CRL can be manually imported via the web administration interface in Configuration > Certificates > CA name > SMC as CRL distribution point.