Community discussions

MikroTik App
 
doka
newbie
Topic Author
Posts: 30
Joined: Tue Nov 13, 2012 10:54 am

crl force update

Wed May 31, 2023 1:48 pm

Hi colleagues,
is there a way to manually reload CRL from remote server? The problem is that routeros reload certificates once per hour and if I find compromised certificates and do revoke (updating CRL on the server) then I need to wait up to one hour (in worst case) while RouterOS will became aware about revoked certificate.

CRL lists are learned from imported certificates:

[doka@ROS7t] > /certificate/crl/print
Flags: D - DYNAMIC
Columns: CERT, LAST-UPDATE, NUM, REVOKED, URL
# CERT LAST-UPDATE NUM REVOKED URL
0 D xxx.xxxx.net.ua-fullchain.pem_0 may/31/2023 10:16:11 1 0 http://xxx.xxxx.net.ua/A1.crl
1 D xxx.xxxx.net.ua-fullchain.pem_1 may/31/2023 10:16:11 1 0 http://xxx.xxxx.net.ua/R1.crl
2 D xxx.xxxx.net.ua-fullchain.pem_2 may/31/2023 10:16:11 1 0 http://xxx.xxxx.net.ua/R1.crl

and

[doka@ROS7t] > /certificate/settings/print
crl-download: yes
crl-use: yes
crl-store: ram

How I can force reloading of CRL lists upon request?

And additional question - I couldn't find documentation on /certificate/settings section - can anyone point me where these commands are described?

Thank you.
 
doka
newbie
Topic Author
Posts: 30
Joined: Tue Nov 13, 2012 10:54 am

Re: crl force update

Wed Dec 27, 2023 7:30 pm

Bump question, anyone can answer it? Thank you.
 
wfburton
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Mon Apr 10, 2023 1:09 am

Re: crl force update

Wed Dec 27, 2023 7:45 pm

[admin@MikroTik] > /certificate/crl flush

[admin@MikroTik] /certificate/settings> set crl-download=yes crl-store=system crl-use=yes

Webcfg System - Certificates - settings

If set to ram you will lose the revoke list if you reboot. Set to system to save between reboots.

Who is online

Users browsing this forum: Google [Bot], GoogleOther [Bot], outtahere, Semrush [Bot] and 66 guests