Configure a CRL in Tenable Security Center

Required Tenable Security Center User Role: Root user

You can enable a certificate revocation list (CRL) in Tenable Security Center to prevent users from authenticating to Tenable Security Center if their certificate matches a revocation in the CRL.

Note: Tenable Support does not assist with CRL creation or configuration in Tenable Security Center.

Before you begin:

  • Confirm that you have the mod_ssl Apache module installed on Tenable Security Center.
  • Back up the /opt/sc/data/CA/ directory in case you encounter issues and need to restore the current version.

To configure a CRL in Tenable Security Center:

  1. In a text editor, open the /opt/sc/support/conf/sslverify.conf file.

    1. Set the SSLVerifyClient setting to Require or Optional, as described in SSLVerifyClient.

    2. Set the SSLVerifyDepth setting, as described in SSLVerifyDepth.

    3. Save the file.

      Tenable Security Center saves your configuration.

  2. Restart Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

    Tenable Security Center restarts.

  3. Confirm that your CA root configuration file contains the following parameters:

    • crl_dir
    • database
    • crl
    • clr_extensions
    • default_crl_days

    For example:

    ...

    # Directory and file locations.

    dir = /opt/sc/data/CA

    crl_dir = /opt/sc/support/conf/crl

    database = /opt/sc/support/conf/index.txt

    # The root key and root certificate.

    private_key = /opt/sc/support/conf/TenableCA.key

    certificate = /opt/sc/data/CA/TenableCA.crt

    # For certificate revocation lists.

    crl = /opt/sc/support/conf/crl/ca.crl

    crl_extensions = crl_ext

    default_crl_days = 30

    ...

  4. Save your CA root configuration file as YourCAname.conf in a subdirectory of /opt/sc/support/conf/.

  5. Confirm the directories and files referenced in your YourCAname.conf file are present on Tenable Security Center in a subdirectory of /opt/sc/support/conf/.

  6. Configure Tenable Security Center to trust your CA, as described in Trust a Custom CA.

    Tenable Security Center processes your CA.

  7. In the command line interface (CLI), run the following command to enable the CRL in Tenable Security Center:

    $ openssl ca -config <CA root configuration file directory> -gencrl -out <crl parameter value in the YourCAname.conf file>

    For example:

    $ openssl ca -config /opt/sc/support/conf/ca-root.conf -gencrl -out /opt/sc/support/conf/crl/ca.crl

    Tenable Security Center creates the CRL file.

  8. In a text editor, open the /opt/sc/support/conf/vhostssl.conf file.

    1. Add the following content at the end of the file:

      SSLCARevocationCheck <value>

      SSLCARevocationFile "<filepath>"

      Where <value> and <filepath> are:

      ContentDescription
      SSLCARevocationCheck <value>
      chainTenable Security Center checks all certificates in a chain against the CRL.
      leafTenable Security Center checks only the end-entity certificate in a chain against the CRL.
      SSLCARevocationFile <filepath>
      Specifies the file path for the CRL file in Tenable Security Center. For example, /opt/sc/support/conf/crl/ca.crl.

    2. Save the file.

      Tenable Security Center saves your configuration.

  9. In the CLI, run the following command to create a symbolic link for the CRL file:

    $ ln -s <crl parameter value in the YourCAname.conf file> `openssl crl -hash -noout -in <crl parameter value in the YourCAname.conf file>`.r0

    For example:

    $ ln -s /opt/sc/support/conf/crl/ca.crl `openssl crl -hash -noout -in /opt/sc/support/conf/crl/ca.crl`.r0

    Caution: Do not use a single quote character (') instead of a backtick character (`); this command requires the backtick.

    Tenable Security Center creates a symbolic link for the CRL file.

  10. Restart Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.

    Tenable Security Center restarts.