Configure a CRL in Tenable Security Center Director

Required User Role: Root user

You can enable a certificate revocation list (CRL) in Tenable Security Center Director to prevent users from authenticating to Tenable Security Center Director if their certificate matches a revocation in the CRL.

Note: Tenable Support does not assist with CRL creation or configuration in Tenable Security Center Director.

Before you begin:

Confirm that you have the mod_ssl Apache module installed on Tenable Security Center Director.
Back up the /opt/sc/data/CA/ directory in case you encounter issues and need to restore the current version.

To configure a CRL in Tenable Security Center Director:

In a text editor, open the /opt/sc/support/conf/sslverify.conf file.
1. Set the SSLVerifyClient setting to Require or Optional, as described in SSLVerifyClient.
2. Set the SSLVerifyDepth setting, as described in SSLVerifyDepth.
3. Save the file.
  Tenable Security Center Director saves your configuration.
Restart Tenable Security Center Director, as described in Start, Stop, or Restart Tenable Security Center Director.

Tenable Security Center Director restarts.
Confirm that your CA root configuration file contains the following parameters:
- crl_dir
- database
- crl
- clr_extensions
- default_crl_days
For example:

...

# Directory and file locations.

dir = /opt/sc/data/CA

crl_dir = /opt/sc/support/conf/crl

database = /opt/sc/support/conf/index.txt

# The root key and root certificate.

private_key = /opt/sc/support/conf/TenableCA.key

certificate = /opt/sc/data/CA/TenableCA.crt

# For certificate revocation lists.

crl = /opt/sc/support/conf/crl/ca.crl

crl_extensions = crl_ext

default_crl_days = 30

...
Save your CA root configuration file as YourCAname.conf in a subdirectory of /opt/sc/support/conf/.
Confirm the directories and files referenced in your YourCAname.conf file are present on Tenable Security Center Director in a subdirectory of /opt/sc/support/conf/.
Configure Tenable Security Center Director to trust your CA, as described in Trust a Custom CA.

Tenable Security Center Director processes your CA.
In the command line interface (CLI), run the following command to enable the CRL in Tenable Security Center Director:

$ openssl ca -config <CA root configuration file directory> -gencrl -out <crl parameter value in the YourCAname.conf file>

For example:

$ openssl ca -config /opt/sc/support/conf/ca-root.conf -gencrl -out /opt/sc/support/conf/crl/ca.crl

Tenable Security Center Director creates the CRL file.

In a text editor, open the /opt/sc/support/conf/vhostssl.conf file.

Add the following content at the end of the file:

SSLCARevocationCheck <value>

SSLCARevocationFile "<filepath>"

Where <value> and <filepath> are:

Content	Description
SSLCARevocationCheck <value>
chain	Tenable Security Center Director checks all certificates in a chain against the CRL.
leaf	Tenable Security Center Director checks only the end-entity certificate in a chain against the CRL.
SSLCARevocationFile <filepath>
Specifies the file path for the CRL file in Tenable Security Center Director. For example, /opt/sc/support/conf/crl/ca.crl.

Save the file.
Tenable Security Center Director saves your configuration.

In the CLI, run the following command to create a symbolic link for the CRL file:

$ ln -s <crl parameter value in the YourCAname.conf file> `openssl crl -hash -noout -in <crl parameter value in the YourCAname.conf file>`.r0

For example:

$ ln -s /opt/sc/support/conf/crl/ca.crl `openssl crl -hash -noout -in /opt/sc/support/conf/crl/ca.crl`.r0

Caution: Do not use a single quote character (') instead of a backtick character (`); this command requires the backtick.

Tenable Security Center Director creates a symbolic link for the CRL file.
Restart Tenable Security Center Director, as described in Start, Stop, or Restart Tenable Security Center Director.

Tenable Security Center Director restarts.