This article highlights important fields of PKI CRL command and debug output.
This article shows how to interpret PKI CRLs logs on a Junos device.
Understanding Certificate Revocation Lists:
For an explanation of ‘Understanding Certificate Revocation Lists’, refer to the technical documentation: http://www.juniper.net/techpubs/en_US/junos/topics/concept/certificate-crl-understanding.html
The important fields of PKI command output and debugs are highlighted below:
Verification:
root@SRX# run show security pki local-certificate detail | no-more Certificate identifier:ADMIN Certificate version: 3 Serial number: 5097bb730000000001a2 Issuer: Common name: Lab, Domain component: com Subject: Common name: admin.juniper.net Alternate subject: email empty, fqdn empty, 192.168.1.10 Validity: Not before: 09-13-2011 08:33 Not after: 03- 3-2015 13:31 Public key algorithm: rsaEncryption(1024 bits) 30:81:89:02:81:81:00:c8:cb:43:cc:10:79:6d:9e:69:94:37:ba:fb 6a:f4:b9:c0:e2:06:e6:04:94:ca:72:63:3c:cb:e6:4f:50:fa:a4:1f 9f:cf:8e:ba:76:8c:f8:bb:43:59:b9:a6:07:a1:df:95:74:ea:db:7d 0e:a2:9b:bb:02:7b:19:39:5f:54:cc:4c:ae:65:85:2e:f7:e6:58:e0 76:29:5e:3a:c7:59:1b:5d:8b:d4:49:46:0f:e5:c3:96:e9:7c:d8:bd b9:30:18:74:6f:8a:bb:1c:52:fe:26:77:2e:c1:e5:44:60:ee:aa:f4 1d:d7:ad:ac:1c:1c:67:e0:8f:fe:f9:d9:bf:10:9d:02:03:01:00:01 Signature algorithm: sha1WithRSAEncryption Distribution CRL: ldap:///CN=Lab,CN=Test,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=juniper,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint http://admin.juniper.net/CertEnroll/Lab.crl Fingerprint: 15:bd:94:99:43:42:08:3c:ab:c8:d3:a4:15:b3:fe:13:98:9d:eb:d7 (sha1) 08:03:e2:96:bc:21:87:81:b2:7f:b4:fc:ec:d6:30:6c (md5) Auto-re-enrollment: Status: Disabled Next trigger time: Timer not started
PKI ca-profile Configuration:
[edit] root# show security pki ca-profile mycaprofile { ca-identity 172.27.201.121; enrollment { url http://172.27.201.121/certsrv/mscep/mscep.dll; } revocation-check { } }
Important: For CA certificates, a DNS must be configured in the device’s configuration. The DNS must be able to resolve the host in the distribution CRL and in the CA cert/revocation list url in the ca-profile configuration. Additionally, the user must have network reachability to the same host in order for the checks to be received.
a) If revocation-check is disabled, this output will be displayed in the PKI traceoptions:
Sep 13 16:59:42 ldapStart: warning: revocation status is not verified per configuration.
b) If revocation-check is enabled, output similar to this will be displayed in PKI traceoptions:
Sep 13 18:23:58 checking for revocation. Sep 13 18:23:58 ldapStart Sep 13 18:23:58 ldapRetrieveCRL Sep 13 18:23:58 updatecrlLdapUrl: try asn_obj type general name. Sep 13 18:23:58 updatecrlLdapUrl: num1 <1> Sep 13 18:23:58 updatecrlLdapUrl: got dp1 <0> Sep 13 18:23:58 updatecrlLdapUrl: got fullname num2 <2> Sep 13 18:23:58 updatecrlLdapUrl: got ia5 at <0> len <171> <ldap:///CN=Lab,CN=Test,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=juniper,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint> Sep 13 18:23:58 updatecrlLdapUrl: got ia5 at <1> len <46> <http://admin.juniper.net/CertEnroll/Lab.crl> Sep 13 18:23:58 updatecrlLdapUrl: got relativename num2 <2> Sep 13 18:23:58 CRL URL: pCrlUrl=http://admin.juniper.net/CertEnroll/Lab.crl Sep 13 18:23:58 CRL URL: no Dn Sep 13 18:23:58 CRL URL: Scope=0 Sep 13 18:23:58 CRL URL: no filter Sep 13 18:23:58 CRL URL: no attr Sep 13 18:23:58 updatecrlLdapUrl: Take ia5 CDP len <46> <http://admin.juniper.net/CertEnroll/Lab.crl> Sep 13 18:23:58 send_crl_request: trying the embedded settings. Sep 13 18:23:58 send_first_crl_request: the http approch. Sep 13 18:23:58 send_first_crl_request: url=http://admin.juniper.net/CertEnroll/Lab.crl Sep 13 18:23:58 httpUrlParser: Success, port=80: Sep 13 18:23:58 httpUrlParser: host=<admin.juniper.net> Sep 13 18:23:58 httpUrlParser: urlPath=<GET /CertEnroll/Lab.crl> Sep 13 18:23:58 httpUrlParser: input url=<http://admin.juniper.net/CertEnroll/Lab.crl> Sep 13 18:23:58 openHttpConnection: convert the host name admin.juniper.net. Sep 13 18:23:58 send_first_crl_request: Cannot send first http request CRL packet. Sep 13 18:23:58 send_crl_request: error send to embedded setting. Sep 13 18:23:58 ldapStart: exit (3). Sep 13 18:23:58 ldapNotify_func: err_id<3>
As a workaround, static-host-mapping was configured for this hostname:
root# show system static-host-mapping { admin.juniper.net inet 172.27.201.121; } After this, the PKI traceoptions displayed this behavior: Sep 13 18:32:49 openHttpConnection: convert the host name admin.juniper.net. Sep 13 18:32:49 server IP <ac1bc979> Sep 13 18:32:49 Trying to connect host admin.juniper.net port 80 Sep 13 18:32:49 openHttpConnection: Making socket 15 blocking Sep 13 18:32:49 Trying to send to socket 15, http_req is: GET /CertEnroll/Lab.crl HTTP/1.0 Accept-Language: en-us Host: admin.juniper.net Connection: Close ?certificateRevocationList?base?objectClass=cRLDistributionPoint Sep 13 18:32:49 openHttpConnection: done <0>. Sep 13 18:32:49 ldapStart: exit (-1). Sep 13 18:32:52 checkLdapResponse, max socekt <15> Sep 13 18:32:52 checkLdapResponse, socekt select return got data, rc <1> Sep 13 18:32:52 crl_online_response_proc: http data received for socket <15>. Sep 13 18:32:52 ldap_response_proc: got data count <1037>. Sep 13 18:32:52 crl_online_response_proc: fill http data buffer for data from socket <15>. Sep 13 18:32:55 checkLdapResponse, max socekt <15> Sep 13 18:32:55 checkLdapResponse, socekt select return got data, rc <1> Sep 13 18:32:55 crl_online_response_proc: http data received for socket <15>. Sep 13 18:32:55 crl_online_response_proc: recv found 0 data in socket <15>, wait cnt <1>. Sep 13 18:32:58 checkLdapResponse, max socekt <15> Sep 13 18:32:58 checkLdapResponse, socekt select return got data, rc <1> Sep 13 18:32:58 crl_online_response_proc: http data received for socket <15>. Sep 13 18:32:58 crl_online_response_proc: recv found no more data in socket <15>, close. Sep 13 18:32:58 crl_online_response_proc: http socket <15> got data <0087d000> len <1037> byte. Sep 13 18:32:58 pkiExec: got content <application/pkix-cr>, data <87d117> data len <758> Sep 13 18:32:58 pkiExec: in_process = 0 Sep 13 18:32:58 Got buf=87d117 len=758 context 883200 contentType=application/pkix-cr contentTypeLen=20 Sep 13 18:32:58 pkiExec: Verify the CRL Sep 13 18:32:58 loadx509File: file_name :884400 len = 758 Sep 13 18:32:58 Attempt (PKCS7, ASN1) format ... Sep 13 18:32:58 Attempt raw(DER, ASN1) format for CRL Sep 13 18:32:58 raw(DER, ASN1) format found for CRL Sep 13 18:32:58 get_online_crl, load one crl to hash Sep 13 18:32:58 count x509 object, type<2> Sep 13 18:32:58 get_first_crl_from_store: Loading crl, obj=873d20, len<758> Sep 13 18:32:58 verify_CRL_check_cert_revocation: pass the CRL DSS check Sep 13 18:32:58 pkid_delete_obj_from_lhash, error no subject name Sep 13 18:32:58 x509_object_hash, error input object type <825559668> Sep 13 18:32:58 Inside pkid_delete_obj_from_lhash, error locate obj from lhash to delete Sep 13 18:32:58 Inside verify_CRL_check_cert_revocation, error delete crl, crl not found Sep 13 18:32:58 Inside pkid_add_obj_to_lhash, retrieved obj type <2> from lhash just saved Sep 13 18:32:58 Inside pkid_add_obj_to_lhash, store obj type <2> to lhash, id <mycaprofile> Sep 13 18:32:58 pkid_retrieve_obj_from_lhash, try retrieve obj from lhash type <2> for id <mycaprofile> Sep 13 18:32:58 pkid_retrieve_obj_from_lhash, retrieved obj from lhash for id <mycaprofile> Sep 13 18:32:58 pkid_save_obj_to_file, save to </var/db/certs/common/crl/mycaprofile.crl> Sep 13 18:32:58 verify_CRL_check_cert_revocation: store CRL done. Sep 13 18:32:58 process <1> cert verify states. Sep 13 18:32:58 ldapRetrieveCRL Sep 13 18:32:58 pkid_retrieve_obj_from_lhash, try retrieve obj from lhash type <2> for id <mycaprofile> Sep 13 18:32:58 pkid_retrieve_obj_from_lhash, retrieved obj from lhash for id <mycaprofile> Sep 13 18:32:58 check_local_crl: found the CRL in database. Sep 13 18:32:58 process cert verify states number <0>. Sep 13 18:32:58 move_to_next_cert_in_chain, cur<0> total<2> Sep 13 18:32:58 move_to_next_cert_in_chain: at end. Sep 13 18:32:58 cert_path_success Sep 13 18:32:58 Top of chain verified ok: /CN=admin.juniper.net Sep 13 18:32:58 cert verified ok: /CN=admin.juniper.net
c) If the CRL is already present in the device, output similar to this will be displayed in PKI traceoptions:
Sep 13 13:53:41 checking for revocation. Sep 13 13:53:41 ldapStart Sep 13 13:53:41 ldapRetrieveCRL Sep 13 13:53:41 pkid_retrieve_obj_from_lhash, try retrieve obj from lhash type <2> for id <mycaprofile> Sep 13 13:53:41 pkid_retrieve_obj_from_lhash, retrieved obj from lhash for id <mycaprofile> Sep 13 13:53:41 check_local_crl: found the CRL in database To verify this, [edit] root@J-Series# run show security pki crl detail CA profile: mycaprofile CRL version: V00000001 CRL issuer: DC = com, DC = juniper, CN = Lab Effective date: 09-11-2011 17:05 Next update: 09-19-2011 05:25 Revocation List: Serial number Revocation date 29ce0bff00000000015e 06-24-2011 12:23 29b1328000000000015d 06-24-2011 12:22