====== Provjera opoziva ======
**Složenost:** Niska \\
**Trajanje:** 30 minuta postavljanja \\
**Cilj:** Osiguranje dostupnosti CRL/OCSP
Nadzor informacija o opozivu (CRL i OCSP) za funkcionalni PKI.
----
===== Arhitektura =====
flowchart LR
subgraph CHECK["🔍 PROVJERA"]
C1[CRL preuzimanje]
C2[CRL parsiranje]
C3[OCSP zahtjev]
end
subgraph VALIDATE["✅ VALIDACIJA"]
V1[Potpis OK?]
V2[Nije istekao?]
V3[Dostupan?]
end
subgraph ALERT["🚨 ALERT"]
A1[CRL istekao]
A2[OCSP Timeout]
A3[CDP nedostupan]
end
C1 --> V1 & V2
C3 --> V3
V1 -->|Ne| A1
V2 -->|Ne| A1
V3 -->|Ne| A2
style A1 fill:#ffebee
style A2 fill:#ffebee
----
===== CRL Monitoring =====
==== Provjera CRL statusa ====
#!/bin/bash
# /usr/local/bin/check-crl.sh
CRL_URLS=(
"http://crl.example.com/intermediate.crl"
"http://crl.example.com/root.crl"
)
WARN_HOURS=72 # Upozorenje ako < 3 dana do Next Update
CRIT_HOURS=24 # Kritično ako < 1 dan do Next Update
for url in "${CRL_URLS[@]}"; do
echo "Provjera: $url"
# Preuzimanje CRL-a
crl_data=$(curl -sf --max-time 10 "$url")
if [ $? -ne 0 ]; then
echo "GREŠKA: CRL nije dostupan - $url"
continue
fi
# Parsiranje CRL-a (DER ili PEM)
if [[ "$crl_data" == *"-----BEGIN"* ]]; then
crl_info=$(echo "$crl_data" | openssl crl -text -noout)
else
crl_info=$(echo "$crl_data" | openssl crl -inform DER -text -noout)
fi
# Ekstrakcija Next Update
next_update=$(echo "$crl_info" | grep "Next Update" | sed 's/.*: //')
next_epoch=$(date -d "$next_update" +%s)
now_epoch=$(date +%s)
hours_left=$(( (next_epoch - now_epoch) / 3600 ))
# CRL Number
crl_number=$(echo "$crl_info" | grep -A1 "CRL Number" | tail -1 | tr -d ' ')
# Izlaz statusa
if [ "$hours_left" -lt 0 ]; then
echo "KRITIČNO: CRL istekao! - $url"
elif [ "$hours_left" -lt "$CRIT_HOURS" ]; then
echo "KRITIČNO: CRL ističe za $hours_left sati - $url"
elif [ "$hours_left" -lt "$WARN_HOURS" ]; then
echo "UPOZORENJE: CRL ističe za $hours_left sati - $url"
else
echo "OK: CRL valjan još $hours_left sati - $url (CRL#: $crl_number)"
fi
# Broj opozvanih certifikata
revoked_count=$(echo "$crl_info" | grep -c "Serial Number:")
echo " Opozvano: $revoked_count certifikata"
echo ""
done
==== Prometheus Exporter za CRL ====
#!/bin/bash
# crl-exporter.sh - Generira Prometheus metrike
METRICS_FILE="/var/lib/node_exporter/textfile_collector/crl.prom"
cat /dev/null > "$METRICS_FILE"
CRL_URLS=(
"intermediate|http://crl.example.com/intermediate.crl"
"root|http://crl.example.com/root.crl"
)
for entry in "${CRL_URLS[@]}"; do
IFS='|' read -r name url <<< "$entry"
crl_data=$(curl -sf --max-time 10 "$url" 2>/dev/null)
if [ $? -ne 0 ]; then
echo "crl_reachable{name=\"$name\"} 0" >> "$METRICS_FILE"
continue
fi
echo "crl_reachable{name=\"$name\"} 1" >> "$METRICS_FILE"
next_update=$(echo "$crl_data" | openssl crl -inform DER -nextupdate -noout 2>/dev/null | cut -d= -f2)
if [ -n "$next_update" ]; then
next_epoch=$(date -d "$next_update" +%s)
echo "crl_next_update_timestamp{name=\"$name\"} $next_epoch" >> "$METRICS_FILE"
fi
revoked=$(echo "$crl_data" | openssl crl -inform DER -text -noout 2>/dev/null | grep -c "Serial Number:")
echo "crl_revoked_count{name=\"$name\"} $revoked" >> "$METRICS_FILE"
done
**Alert Rule:**
- alert: CRLExpiringSoon
expr: crl_next_update_timestamp - time() < 86400
labels:
severity: critical
annotations:
summary: "CRL {{ $labels.name }} ističe za < 24h"
- alert: CRLUnreachable
expr: crl_reachable == 0
for: 5m
labels:
severity: critical
annotations:
summary: "CRL {{ $labels.name }} nije dostupan"
----
===== OCSP Monitoring =====
==== Provjera OCSP respondera ====
#!/bin/bash
# /usr/local/bin/check-ocsp.sh
OCSP_URL="http://ocsp.example.com"
ISSUER_CERT="/etc/pki/CA/intermediate-ca.pem"
TEST_CERT="/etc/ssl/certs/test-server.pem"
echo "OCSP Responder Check: $OCSP_URL"
# Slanje OCSP zahtjeva
start_time=$(date +%s%N)
response=$(openssl ocsp \
-issuer "$ISSUER_CERT" \
-cert "$TEST_CERT" \
-url "$OCSP_URL" \
-resp_text 2>&1)
end_time=$(date +%s%N)
# Izračun vremena odziva (ms)
response_time=$(( (end_time - start_time) / 1000000 ))
# Ekstrakcija statusa
if echo "$response" | grep -q "good"; then
status="good"
elif echo "$response" | grep -q "revoked"; then
status="revoked"
else
status="error"
fi
# Izlaz
echo "Status: $status"
echo "Vrijeme odziva: ${response_time}ms"
if [ "$status" = "error" ]; then
echo "GREŠKA: OCSP Responder ne funkcionira"
exit 1
fi
if [ "$response_time" -gt 2000 ]; then
echo "UPOZORENJE: Vrijeme odziva OCSP > 2s"
fi
==== OCSP Prometheus Exporter ====
#!/bin/bash
# ocsp-exporter.sh
METRICS_FILE="/var/lib/node_exporter/textfile_collector/ocsp.prom"
OCSP_ENDPOINTS=(
"intermediate|http://ocsp.example.com|/etc/pki/CA/intermediate.pem|/etc/ssl/certs/test.pem"
)
cat /dev/null > "$METRICS_FILE"
for entry in "${OCSP_ENDPOINTS[@]}"; do
IFS='|' read -r name url issuer cert <<< "$entry"
start_time=$(date +%s%N)
response=$(openssl ocsp -issuer "$issuer" -cert "$cert" -url "$url" -resp_text 2>&1)
exit_code=$?
end_time=$(date +%s%N)
response_time=$(( (end_time - start_time) / 1000000 ))
echo "ocsp_response_time_ms{name=\"$name\"} $response_time" >> "$METRICS_FILE"
if [ $exit_code -eq 0 ]; then
echo "ocsp_up{name=\"$name\"} 1" >> "$METRICS_FILE"
else
echo "ocsp_up{name=\"$name\"} 0" >> "$METRICS_FILE"
fi
if echo "$response" | grep -q "good"; then
echo "ocsp_status{name=\"$name\"} 0" >> "$METRICS_FILE" # 0=good
elif echo "$response" | grep -q "revoked"; then
echo "ocsp_status{name=\"$name\"} 1" >> "$METRICS_FILE" # 1=revoked
else
echo "ocsp_status{name=\"$name\"} 2" >> "$METRICS_FILE" # 2=unknown/error
fi
done
**Alert Rules:**
- alert: OCSPResponderDown
expr: ocsp_up == 0
for: 2m
labels:
severity: critical
annotations:
summary: "OCSP Responder {{ $labels.name }} nije dostupan"
- alert: OCSPResponseSlow
expr: ocsp_response_time_ms > 2000
for: 5m
labels:
severity: warning
annotations:
summary: "OCSP {{ $labels.name }} spor: {{ $value }}ms"
----
===== Blackbox Exporter =====
# blackbox.yml
modules:
tls_connect:
prober: tcp
timeout: 5s
tcp:
tls: true
tls_config:
insecure_skip_verify: false
http_crl:
prober: http
timeout: 10s
http:
method: GET
valid_status_codes: [200]
fail_if_body_not_matches_regexp: ["-----BEGIN X509 CRL-----|^\x30"]
ocsp_check:
prober: http
timeout: 5s
http:
method: POST
headers:
Content-Type: application/ocsp-request
----
===== PowerShell (Windows) =====
# Check-Revocation.ps1
param(
[string]$OcspUrl = "http://ocsp.example.com",
[string]$CrlUrl = "http://crl.example.com/intermediate.crl"
)
# Provjera CRL-a
Write-Host "=== CRL Check ===" -ForegroundColor Cyan
try {
$crlResponse = Invoke-WebRequest -Uri $CrlUrl -TimeoutSec 10
Write-Host "CRL dostupan: OK ($($crlResponse.StatusCode))" -ForegroundColor Green
# Parsiranje CRL-a (zahtijeva dodatne alate ili .NET)
$crlBytes = $crlResponse.Content
# ... CRL parsiranje ovdje
}
catch {
Write-Host "CRL GREŠKA: $_" -ForegroundColor Red
}
# Provjera OCSP-a (pojednostavljeno putem openssl)
Write-Host "`n=== OCSP Check ===" -ForegroundColor Cyan
try {
$certPath = "C:\certs\test.pem"
$issuerPath = "C:\certs\intermediate.pem"
$ocspResult = & openssl ocsp -issuer $issuerPath -cert $certPath -url $OcspUrl -text 2>&1
if ($ocspResult -match "good") {
Write-Host "OCSP Status: GOOD" -ForegroundColor Green
}
elseif ($ocspResult -match "revoked") {
Write-Host "OCSP Status: REVOKED" -ForegroundColor Yellow
}
else {
Write-Host "OCSP Status: ERROR" -ForegroundColor Red
}
}
catch {
Write-Host "OCSP GREŠKA: $_" -ForegroundColor Red
}
----
===== Kontrolna lista =====
| # | Točka provjere | ✓ |
|---|----------------|---|
| 1 | CRL URL-ovi definirani | ☐ |
| 2 | CRL preuzimanje funkcionira | ☐ |
| 3 | Upozorenje za istek CRL-a konfigurirano | ☐ |
| 4 | OCSP URL definiran | ☐ |
| 5 | OCSP odziv funkcionira | ☐ |
| 6 | Prometheus Exporter aktivan | ☐ |
| 7 | Alerti konfigurirani | ☐ |
----
===== Povezana dokumentacija =====
* [[..:tagesgeschaeft:zertifikat-widerrufen|Opoziv certifikata]] – Ažuriranje CRL-a
* [[.:ablauf-monitoring|Monitoring isteka]] – Istek certifikata
* [[hr:int:pqcrypt:szenarien:widerruf:start|Scenariji opoziva]] – Detaljne upute
----
<< [[.:ablauf-monitoring|← Monitoring isteka]] | [[.:audit-logging|→ Audit Logging]] >>
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>monitoring crl ocsp opoziv operator}}