Configure a CRL in Tenable.sc

Required User Role: Root user

You can enable a certificate revocation list (CRL) in Tenable.sc to prevent users from authenticating to Tenable.sc if their certificate matches a revocation in the CRL.

Note: Tenable Support does not assist with CRL creation or configuration in Tenable.sc.

Before you begin:

  • Confirm that you have the mod_ssl Apache module installed on Tenable.sc.
  • Back up the /opt/sc/data/CA/ directory in case you encounter issues and need to restore the current version.

To configure a CRL in Tenable.sc:

  1. In a text editor, open the /opt/sc/support/conf/sslverify.conf file.
    1. Set the SSLVerifyClient setting to Require or Optional, as described in SSLVerifyClient.

    2. Set the SSLVerifyDepth setting, as described in SSLVerifyDepth.

    3. Save the file.

      Tenable.sc saves your configuration.

  2. Restart Tenable.sc, as described in Start, Stop, or Restart Tenable.sc.

    Tenable.sc restarts.

  3. Confirm that your CA root configuration file contains the following parameters:

    • crl_dir
    • database
    • crl
    • clr_extensions
    • default_crl_days

    For example:

    ...

    # Directory and file locations.

    dir = /opt/sc/data/CA

    crl_dir = /opt/sc/support/conf/crl

    database = /opt/sc/support/conf/index.txt

    # The root key and root certificate.

    private_key = /opt/sc/support/conf/TenableCA.key

    certificate = /opt/sc/data/CA/TenableCA.crt

    # For certificate revocation lists.

    crl = /opt/sc/support/conf/crl/ca.crl

    crl_extensions = crl_ext

    default_crl_days = 30

    ...

  4. Save your CA root configuration file as YourCAname.conf in a subdirectory of /opt/sc/support/conf/.

  5. Confirm the directories and files referenced in your YourCAname.conf file are present on Tenable.sc in a subdirectory of /opt/sc/support/conf/.
  6. Configure Tenable.sc to trust your CA, as described in Trust a Custom CA.

    Tenable.sc processes your CA.

  7. In the command line interface (CLI), run the following command to enable the CRL in Tenable.sc:

    $ openssl ca -config <CA root configuration file directory> -gencrl -out <crl parameter value in the YourCAname.conf file>

    For example:

    $ openssl ca -config /opt/sc/support/conf/ca-root.conf -gencrl -out /opt/sc/support/conf/crl/ca.crl

    Tenable.sc creates the CRL file.

  8. In a text editor, open the /opt/sc/support/conf/vhostssl.conf file.
    1. Add the following content at the end of the file:

      SSLCARevocationCheck <value>

      SSLCARevocationFile "<filepath>"

      Where <value> and <filepath> are:

      ContentDescription
      SSLCARevocationCheck <value>
      chainTenable.sc checks all certificates in a chain against the CRL.
      leafTenable.sc checks only the end-entity certificate in a chain against the CRL.
      SSLCARevocationFile <filepath>
      Specifies the file path for the CRL file in Tenable.sc. For example, /opt/sc/support/conf/crl/ca.crl.
    2. Save the file.

      Tenable.sc saves your configuration.

  9. In the CLI, run the following command to create a symbolic link for the CRL file:

    $ ln -s <crl parameter value in the YourCAname.conf file> `openssl crl -hash -noout -in <crl parameter value in the YourCAname.conf file>`.r0

    For example:

    $ ln -s /opt/sc/support/conf/crl/ca.crl `openssl crl -hash -noout -in /opt/sc/support/conf/crl/ca.crl`.r0

    Caution: Do not use a single quote character (') instead of a backtick character (`); this command requires the backtick.

    Tenable.sc creates a symbolic link for the CRL file.

  10. Restart Tenable.sc, as described in Start, Stop, or Restart Tenable.sc.

    Tenable.sc restarts.