Configure a CRL in Tenable Security Center
Required User Role: Root user
You can enable a certificate revocation list (CRL) in Tenable Security Center to prevent users from authenticating to Tenable Security Center if their certificate matches a revocation in the CRL.
Note: Tenable Support does not assist with CRL creation or configuration in Tenable Security Center.
Before you begin:
- Confirm that you have the mod_ssl Apache module installed on Tenable Security Center.
- Back up the /opt/sc/data/CA/ directory in case you encounter issues and need to restore the current version.
To configure a CRL in Tenable Security Center:
- In a text editor, open the /opt/sc/support/conf/sslverify.conf file.
Set the SSLVerifyClient setting to Require or Optional, as described in SSLVerifyClient.
Set the SSLVerifyDepth setting, as described in SSLVerifyDepth.
Save the file.
Tenable Security Center saves your configuration.
-
Restart Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.
Tenable Security Center restarts.
-
Confirm that your CA root configuration file contains the following parameters:
- crl_dir
- database
- crl
- clr_extensions
- default_crl_days
For example:
...
# Directory and file locations.
dir = /opt/sc/data/CA
crl_dir = /opt/sc/support/conf/crl
database = /opt/sc/support/conf/index.txt
# The root key and root certificate.
private_key = /opt/sc/support/conf/TenableCA.key
certificate = /opt/sc/data/CA/TenableCA.crt
# For certificate revocation lists.
crl = /opt/sc/support/conf/crl/ca.crl
crl_extensions = crl_ext
default_crl_days = 30
...
-
Save your CA root configuration file as YourCAname.conf in a subdirectory of /opt/sc/support/conf/.
- Confirm the directories and files referenced in your YourCAname.conf file are present on Tenable Security Center in a subdirectory of /opt/sc/support/conf/.
-
Configure Tenable Security Center to trust your CA, as described in Trust a Custom CA.
Tenable Security Center processes your CA.
-
In the command line interface (CLI), run the following command to enable the CRL in Tenable Security Center:
$ openssl ca -config <CA root configuration file directory> -gencrl -out <crl parameter value in the YourCAname.conf file>For example:
$ openssl ca -config /opt/sc/support/conf/ca-root.conf -gencrl -out /opt/sc/support/conf/crl/ca.crlTenable Security Center creates the CRL file.
- In a text editor, open the /opt/sc/support/conf/vhostssl.conf file.
Add the following content at the end of the file:
SSLCARevocationCheck <value>
SSLCARevocationFile "<filepath>"
Where <value> and <filepath> are:
Content Description SSLCARevocationCheck <value> chain Tenable Security Center checks all certificates in a chain against the CRL. leaf Tenable Security Center checks only the end-entity certificate in a chain against the CRL. SSLCARevocationFile <filepath> Specifies the file path for the CRL file in Tenable Security Center. For example, /opt/sc/support/conf/crl/ca.crl. Save the file.
Tenable Security Center saves your configuration.
-
In the CLI, run the following command to create a symbolic link for the CRL file:
$ ln -s <crl parameter value in the YourCAname.conf file> `openssl crl -hash -noout -in <crl parameter value in the YourCAname.conf file>`.r0For example:
$ ln -s /opt/sc/support/conf/crl/ca.crl `openssl crl -hash -noout -in /opt/sc/support/conf/crl/ca.crl`.r0Caution: Do not use a single quote character (') instead of a backtick character (`); this command requires the backtick.
Tenable Security Center creates a symbolic link for the CRL file.
-
Restart Tenable Security Center, as described in Start, Stop, or Restart Tenable Security Center.
Tenable Security Center restarts.