Powershell DOD CRLAutoCache

Certificate Revocation List (CRL) are important for smartcard authentication architecture.  I have mine configured just in case our web connection goes down, user’s will still be able to login using smartcard.  This is ever more important for DoD networks since it is mandated to use smartcard for Windows authentication.  The other alternative for CRL is OCSP, which is the preferred protocol since it uses so much less network resource but does not offer protection when internet connection goes down.  I’m not going to do an in depth explanation of the two since that is not my intention for this blog.

DOD has a nifty tool called CRLAutoCache for automated downloading of CRL.  Unfortunately there is no place to specify a web proxy.  Modern networks utilize webproxy for security purpose so I created a powershell that will download the ALLCRLZIP.ZIP and unzip it to an IIS server.  FYI, this IIS server is also my WSUS so I did not introduce another IIS instance.   You can just copy and paste the code and give it a .ps1 extension (mine is CRL_DOWNLOAD.ps1)

Here it is:

#Create by Totie Bash
#This part will download the zip
$wc = new-object System.Net.WebClient
$webproxy = new-object System.Net.Webproxy(“http://proxy:80”,$true)
$source = “http://crl.disa.mil/getcrlzip?ALL+CRL+ZIP”
$destination = “C:\inetpub\wwwroot\CRL\ALLCRLZIP.ZIP”
$wc.Proxy = $WebProxy
$wc.DownloadFile($source, $destination)

#This part unzips all
$shell = new-object -com shell.application
$zip = $shell.NameSpace(“C:\inetpub\wwwroot\CRL\ALLCRLZIP.ZIP”)
$destination = $shell.namespace(“C:\inetpub\wwwroot\CRL”)
$destination.copyhere($zip.items(), 0x14)

Note:  Sorry about this:

Line 4- proxy:80&#8243  should read just “proxy:80” take off “&#8243
Line 5 – crl.disa.mil/getcrlzip?ALL+CRL+ZIP&#8221 should just read “crl.disa.mil/getcrlzip?ALL+CRL+ZIP” take off “&#8221

– I then created a scheduled task to run every every 4 in the morning to execurte the CRL_DOWNLOAD.ps1 powershell.  Note: I had to change the user that runs this process to “System” and checked “Run with highest privileges”

POWERSHELL -executionpolicy bypass “C:\WINDOWS\CRL_DOWNLOAD.ps1”

– After that I then point my Tumbleweed Desktop Validator (or any DV software) to the interal CRL address as my primary validation and push the config through GPO.      

Advertisements

6 responses to “Powershell DOD CRLAutoCache

  1. I just found this and this is very similar to what I did asside from the powershell script. Essentially same situation for me on our tactical networks, but not too long ago our systems were wiped and upgraded. So now I am trying to reaccomplish this and I lost out on some continuity. Hopefully you get this very soon. can you please email me? if you dont see my email let me know, if you can.

    • First, I am going to attempt what I think you did for the CRLs. Yesterday I tried by installing an OCSP responder, but that was not working.

      I have two questions. First, I also download the same ALLCRL.ZIP from crl.gds.disa.mil, and I would import them by going into the certificate services, then going to Intermediate Certificate Authorities. Is this what you do or do you just have a local share folder containing all of the CRLs?

      Second, how did you point Tumbleweed Desktop Validator (or any DV software) to the interal CRL address as my primary validation? Did you create a list of CRL validations options to point to each individual CRL? I was thinking of putting all the CRLs in a folder and then in IIS create a virtual folder linked to that folder, allowing me to use a web address to point to each CRL, like http://Server.FQDN/_CRL/DODCA_27.crl.

      email might be easier. jordan.dombrowski@us.af.mil

      • “First, I also download the same ALLCRL.ZIP from crl.gds.disa.mil, and I would import them by going into the certificate services, then going to Intermediate Certificate Authorities.” – The crl is not use that way. You probably have it mixed with the InstallRoot.exe which automatically imports those certicates to the Windows certificate store.

        “how did you point Tumbleweed Desktop Validator (or any DV software) to the interal CRL address as my primary validation? Did you create a list of CRL validations options to point to each individual CRL?” Yes, I created a list of validation options, manually typing around 30 to 50 of them unfortunately. Pretty much I configured one with the config I wanted and added the validation options, added proxy setting for OCSP etc. Once I am happy and tested the config I exported the config; put it on network share (I put mine on DC NETLOGON share); and use GPO to send it accross the domain there’s an ADM template for this read the DV manual. I ‘ll email some supporting screenshots and my DV config for reference.

        “I was thinking of putting all the CRLs in a folder and then in IIS create a virtual folder linked to that folder, allowing me to use a web address to point to each CRL, like http://Server.FQDN/_CRL/DODCA_27.crl.” Bingo!! Exactly what I did here. The powershell scheduled task daily script is residing on this webserver.

  2. I am a junior system admin working on a contractor site behind a proxy and will be
    implementing a PKI validation for server and workstation logon using DOD CAC authentication. This will be my first attempt at such a task. We have a group of systems here that we manage for DISA.
    Correct me if i am wrong, my understanding is that I would not need a local CA on our site, because DISA’s CAs would be handling the certs. Would I need to create a local OCSP or just an IIS instance, like our WSUS, to have Tumbleweed validate our logins.
    Would I need to use DOD CRL AutoCache at all or just the script?

    I am currently working on my MSCA and have a intermediate understanding of Microsoft PKI, but the disconnect is all the 3rd party software used by DOD and the uniqueness of my situation(proxy exceptions, not being in DISA forest).

    I would love to see as much configurations, screenshots, etc. as possible without breaching security or sensitive information. Any information you could pass along that could help in this endeavor would be much appreciated.

    Please Send me an email: philip.grant@ngc.com or philip.b.grant.ctr@mail.mil

    Thank you in Advance,
    Phil

    • – No need for local CA. The CA that signed your user’s CAC or SIPR token are DISA’s CA therefore you need to configure your infrastructure to validate through DISA’s CA.
      – No need for OCSP this guide is for local CRL which is all you would need.
      – DOD CRL AutoCache’s proplem is that it does not have a section to punch through a proxy server. This is why the powershell script here is needed. Maybe in the future they’ll update the tool.
      I’m sorry I don’t have screenshots. Good luck

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s