====== Revocation Check ======
**Complexity:** Low \\
**Duration:** 30 minutes setup \\
**Goal:** Ensure CRL/OCSP availability
Monitoring of revocation information (CRL and OCSP) for a functioning PKI.
----
===== Architecture =====
flowchart LR
subgraph CHECK["CHECKING"]
C1[CRL Download]
C2[CRL Parsing]
C3[OCSP Request]
end
subgraph VALIDATE["VALIDATION"]
V1[Signature OK?]
V2[Not expired?]
V3[Reachable?]
end
subgraph ALERT["ALERT"]
A1[CRL expired]
A2[OCSP Timeout]
A3[CDP unreachable]
end
C1 --> V1 & V2
C3 --> V3
V1 -->|No| A1
V2 -->|No| A1
V3 -->|No| A2
style A1 fill:#ffebee
style A2 fill:#ffebee
----
===== CRL Monitoring =====
==== Check CRL Status ====
#!/bin/bash
# /usr/local/bin/check-crl.sh
CRL_URLS=(
"http://crl.example.com/intermediate.crl"
"http://crl.example.com/root.crl"
)
WARN_HOURS=72 # Warning if < 3 days until Next Update
CRIT_HOURS=24 # Critical if < 1 day until Next Update
for url in "${CRL_URLS[@]}"; do
echo "Checking: $url"
# Download CRL
crl_data=$(curl -sf --max-time 10 "$url")
if [ $? -ne 0 ]; then
echo "ERROR: CRL unreachable - $url"
continue
fi
# Parse CRL (DER or PEM)
if [[ "$crl_data" == *"-----BEGIN"* ]]; then
crl_info=$(echo "$crl_data" | openssl crl -text -noout)
else
crl_info=$(echo "$crl_data" | openssl crl -inform DER -text -noout)
fi
# Extract Next Update
next_update=$(echo "$crl_info" | grep "Next Update" | sed 's/.*: //')
next_epoch=$(date -d "$next_update" +%s)
now_epoch=$(date +%s)
hours_left=$(( (next_epoch - now_epoch) / 3600 ))
# CRL Number
crl_number=$(echo "$crl_info" | grep -A1 "CRL Number" | tail -1 | tr -d ' ')
# Output status
if [ "$hours_left" -lt 0 ]; then
echo "CRITICAL: CRL expired! - $url"
elif [ "$hours_left" -lt "$CRIT_HOURS" ]; then
echo "CRITICAL: CRL expires in $hours_left hours - $url"
elif [ "$hours_left" -lt "$WARN_HOURS" ]; then
echo "WARNING: CRL expires in $hours_left hours - $url"
else
echo "OK: CRL valid for $hours_left hours - $url (CRL#: $crl_number)"
fi
# Count revoked certificates
revoked_count=$(echo "$crl_info" | grep -c "Serial Number:")
echo " Revoked: $revoked_count certificates"
echo ""
done
==== Prometheus Exporter for CRL ====
#!/bin/bash
# crl-exporter.sh - Generates Prometheus metrics
METRICS_FILE="/var/lib/node_exporter/textfile_collector/crl.prom"
cat /dev/null > "$METRICS_FILE"
CRL_URLS=(
"intermediate|http://crl.example.com/intermediate.crl"
"root|http://crl.example.com/root.crl"
)
for entry in "${CRL_URLS[@]}"; do
IFS='|' read -r name url <<< "$entry"
crl_data=$(curl -sf --max-time 10 "$url" 2>/dev/null)
if [ $? -ne 0 ]; then
echo "crl_reachable{name=\"$name\"} 0" >> "$METRICS_FILE"
continue
fi
echo "crl_reachable{name=\"$name\"} 1" >> "$METRICS_FILE"
next_update=$(echo "$crl_data" | openssl crl -inform DER -nextupdate -noout 2>/dev/null | cut -d= -f2)
if [ -n "$next_update" ]; then
next_epoch=$(date -d "$next_update" +%s)
echo "crl_next_update_timestamp{name=\"$name\"} $next_epoch" >> "$METRICS_FILE"
fi
revoked=$(echo "$crl_data" | openssl crl -inform DER -text -noout 2>/dev/null | grep -c "Serial Number:")
echo "crl_revoked_count{name=\"$name\"} $revoked" >> "$METRICS_FILE"
done
**Alert Rule:**
- alert: CRLExpiringSoon
expr: crl_next_update_timestamp - time() < 86400
labels:
severity: critical
annotations:
summary: "CRL {{ $labels.name }} expires in < 24h"
- alert: CRLUnreachable
expr: crl_reachable == 0
for: 5m
labels:
severity: critical
annotations:
summary: "CRL {{ $labels.name }} unreachable"
----
===== OCSP Monitoring =====
==== Check OCSP Responder ====
#!/bin/bash
# /usr/local/bin/check-ocsp.sh
OCSP_URL="http://ocsp.example.com"
ISSUER_CERT="/etc/pki/CA/intermediate-ca.pem"
TEST_CERT="/etc/ssl/certs/test-server.pem"
echo "OCSP Responder Check: $OCSP_URL"
# Send OCSP request
start_time=$(date +%s%N)
response=$(openssl ocsp \
-issuer "$ISSUER_CERT" \
-cert "$TEST_CERT" \
-url "$OCSP_URL" \
-resp_text 2>&1)
end_time=$(date +%s%N)
# Calculate response time (ms)
response_time=$(( (end_time - start_time) / 1000000 ))
# Extract status
if echo "$response" | grep -q "good"; then
status="good"
elif echo "$response" | grep -q "revoked"; then
status="revoked"
else
status="error"
fi
# Output
echo "Status: $status"
echo "Response time: ${response_time}ms"
if [ "$status" = "error" ]; then
echo "ERROR: OCSP Responder not functional"
exit 1
fi
if [ "$response_time" -gt 2000 ]; then
echo "WARNING: OCSP response time > 2s"
fi
==== OCSP Prometheus Exporter ====
#!/bin/bash
# ocsp-exporter.sh
METRICS_FILE="/var/lib/node_exporter/textfile_collector/ocsp.prom"
OCSP_ENDPOINTS=(
"intermediate|http://ocsp.example.com|/etc/pki/CA/intermediate.pem|/etc/ssl/certs/test.pem"
)
cat /dev/null > "$METRICS_FILE"
for entry in "${OCSP_ENDPOINTS[@]}"; do
IFS='|' read -r name url issuer cert <<< "$entry"
start_time=$(date +%s%N)
response=$(openssl ocsp -issuer "$issuer" -cert "$cert" -url "$url" -resp_text 2>&1)
exit_code=$?
end_time=$(date +%s%N)
response_time=$(( (end_time - start_time) / 1000000 ))
echo "ocsp_response_time_ms{name=\"$name\"} $response_time" >> "$METRICS_FILE"
if [ $exit_code -eq 0 ]; then
echo "ocsp_up{name=\"$name\"} 1" >> "$METRICS_FILE"
else
echo "ocsp_up{name=\"$name\"} 0" >> "$METRICS_FILE"
fi
if echo "$response" | grep -q "good"; then
echo "ocsp_status{name=\"$name\"} 0" >> "$METRICS_FILE" # 0=good
elif echo "$response" | grep -q "revoked"; then
echo "ocsp_status{name=\"$name\"} 1" >> "$METRICS_FILE" # 1=revoked
else
echo "ocsp_status{name=\"$name\"} 2" >> "$METRICS_FILE" # 2=unknown/error
fi
done
**Alert Rules:**
- alert: OCSPResponderDown
expr: ocsp_up == 0
for: 2m
labels:
severity: critical
annotations:
summary: "OCSP Responder {{ $labels.name }} unreachable"
- alert: OCSPResponseSlow
expr: ocsp_response_time_ms > 2000
for: 5m
labels:
severity: warning
annotations:
summary: "OCSP {{ $labels.name }} slow: {{ $value }}ms"
----
===== Blackbox Exporter =====
# blackbox.yml
modules:
tls_connect:
prober: tcp
timeout: 5s
tcp:
tls: true
tls_config:
insecure_skip_verify: false
http_crl:
prober: http
timeout: 10s
http:
method: GET
valid_status_codes: [200]
fail_if_body_not_matches_regexp: ["-----BEGIN X509 CRL-----|^\x30"]
ocsp_check:
prober: http
timeout: 5s
http:
method: POST
headers:
Content-Type: application/ocsp-request
----
===== PowerShell (Windows) =====
# Check-Revocation.ps1
param(
[string]$OcspUrl = "http://ocsp.example.com",
[string]$CrlUrl = "http://crl.example.com/intermediate.crl"
)
# Check CRL
Write-Host "=== CRL Check ===" -ForegroundColor Cyan
try {
$crlResponse = Invoke-WebRequest -Uri $CrlUrl -TimeoutSec 10
Write-Host "CRL reachable: OK ($($crlResponse.StatusCode))" -ForegroundColor Green
# Parse CRL (requires additional tools or .NET)
$crlBytes = $crlResponse.Content
# ... CRL parsing here
}
catch {
Write-Host "CRL ERROR: $_" -ForegroundColor Red
}
# Check OCSP (simplified via openssl)
Write-Host "`n=== OCSP Check ===" -ForegroundColor Cyan
try {
$certPath = "C:\certs\test.pem"
$issuerPath = "C:\certs\intermediate.pem"
$ocspResult = & openssl ocsp -issuer $issuerPath -cert $certPath -url $OcspUrl -text 2>&1
if ($ocspResult -match "good") {
Write-Host "OCSP Status: GOOD" -ForegroundColor Green
}
elseif ($ocspResult -match "revoked") {
Write-Host "OCSP Status: REVOKED" -ForegroundColor Yellow
}
else {
Write-Host "OCSP Status: ERROR" -ForegroundColor Red
}
}
catch {
Write-Host "OCSP ERROR: $_" -ForegroundColor Red
}
----
===== Checklist =====
| # | Checkpoint | Done |
|---|------------|------|
| 1 | CRL URLs defined | |
| 2 | CRL download working | |
| 3 | CRL expiry warning configured | |
| 4 | OCSP URL defined | |
| 5 | OCSP response working | |
| 6 | Prometheus exporter active | |
| 7 | Alerts configured | |
----
===== Related Documentation =====
* [[..:tagesgeschaeft:zertifikat-widerrufen|Revoke Certificate]] - Update CRL
* [[.:ablauf-monitoring|Expiry Monitoring]] - Certificate expiry
* [[en:int:pqcrypt:szenarien:widerruf:start|Revocation Scenarios]] - Detailed guides
----
<< [[.:ablauf-monitoring|<- Expiry Monitoring]] | [[.:audit-logging|-> Audit Logging]] >>
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>monitoring crl ocsp revocation operator}}