Configure a CRL in Tenable Security Center Director

Required User Role: Root user

You can enable a certificate revocation list (CRL) in Tenable Security Center Director to prevent users from authenticating to Tenable Security Center Director if their certificate matches a revocation in the CRL.

Note: Tenable Support does not assist with CRL creation or configuration in Tenable Security Center Director.

Before you begin:

  • Confirm that you have the mod_ssl Apache module installed on Tenable Security Center Director.
  • Back up the /opt/sc/data/CA/ directory in case you encounter issues and need to restore the current version.

To configure a CRL in Tenable Security Center Director:

  1. In a text editor, open the /opt/sc/support/conf/sslverify.conf file.
    1. Set the SSLVerifyClient setting to Require or Optional, as described in SSLVerifyClient.

    2. Set the SSLVerifyDepth setting, as described in SSLVerifyDepth.

    3. Save the file.

      Tenable Security Center Director saves your configuration.

  2. Restart Tenable Security Center Director, as described in Start, Stop, or Restart Tenable Security Center Director.

    Tenable Security Center Director restarts.

  3. Confirm that your CA root configuration file contains the following parameters:

    • crl_dir
    • database
    • crl
    • clr_extensions
    • default_crl_days

    For example:

    ...

    # Directory and file locations.

    dir = /opt/sc/data/CA

    crl_dir = /opt/sc/support/conf/crl

    database = /opt/sc/support/conf/index.txt

    # The root key and root certificate.

    private_key = /opt/sc/support/conf/TenableCA.key

    certificate = /opt/sc/data/CA/TenableCA.crt

    # For certificate revocation lists.

    crl = /opt/sc/support/conf/crl/ca.crl

    crl_extensions = crl_ext

    default_crl_days = 30

    ...

  4. Save your CA root configuration file as YourCAname.conf in a subdirectory of /opt/sc/support/conf/.

  5. Confirm the directories and files referenced in your YourCAname.conf file are present on Tenable Security Center Director in a subdirectory of /opt/sc/support/conf/.
  6. Configure Tenable Security Center Director to trust your CA, as described in Trust a Custom CA.

    Tenable Security Center Director processes your CA.

  7. In the command line interface (CLI), run the following command to enable the CRL in Tenable Security Center Director:

    $ openssl ca -config <CA root configuration file directory> -gencrl -out <crl parameter value in the YourCAname.conf file>

    For example:

    $ openssl ca -config /opt/sc/support/conf/ca-root.conf -gencrl -out /opt/sc/support/conf/crl/ca.crl

    Tenable Security Center Director creates the CRL file.

  8. In a text editor, open the /opt/sc/support/conf/vhostssl.conf file.
    1. Add the following content at the end of the file:

      SSLCARevocationCheck <value>

      SSLCARevocationFile "<filepath>"

      Where <value> and <filepath> are:

      ContentDescription
      SSLCARevocationCheck <value>
      chainTenable Security Center Director checks all certificates in a chain against the CRL.
      leafTenable Security Center Director checks only the end-entity certificate in a chain against the CRL.
      SSLCARevocationFile <filepath>
      Specifies the file path for the CRL file in Tenable Security Center Director. For example, /opt/sc/support/conf/crl/ca.crl.
    2. Save the file.

      Tenable Security Center Director saves your configuration.

  9. In the CLI, run the following command to create a symbolic link for the CRL file:

    $ ln -s <crl parameter value in the YourCAname.conf file> `openssl crl -hash -noout -in <crl parameter value in the YourCAname.conf file>`.r0

    For example:

    $ ln -s /opt/sc/support/conf/crl/ca.crl `openssl crl -hash -noout -in /opt/sc/support/conf/crl/ca.crl`.r0

    Caution: Do not use a single quote character (') instead of a backtick character (`); this command requires the backtick.

    Tenable Security Center Director creates a symbolic link for the CRL file.

  10. Restart Tenable Security Center Director, as described in Start, Stop, or Restart Tenable Security Center Director.

    Tenable Security Center Director restarts.