Importing a CRL File

After the certificate revocation list (CRL) file on the CA server is updated, manually import the corresponding CRL file to each server to ensure that the CRL file is the latest during certificate verification.

You need to manually transfer the CRL file to the specified directory on the server and perform related operations.

Directory for Storing the CRL File	Owner	Permission	Soft Link
cert_path in the installation configuration file of the installation package The default value is the cert directory in the tool installation directory. Name format: ca.crl	Consistent with that during installation	600	No soft link is required.

Directory for Storing the CRL File

Owner

Permission

Soft Link

cert_path in the installation configuration file of the installation package

The default value is the cert directory in the tool installation directory.

Name format: ca.crl

Consistent with that during installation

600

No soft link is required.

Go to the tool installation directory and run the following command to import the CRL file. After that, enter the password of the remote server. After the CRL file is imported, it is updated to the cert directory in the tool installation directory.

./tools/haf-tool cert --server <ca_server_ip> --path <ca_server_path> --user <ca_server_user> --revoke

**Table 1** Using SmartKit to update the certificate on the server or client node
Parameter	Description
Task Name	Updating the node certificate
Task Description	Importing the CRL file from the CA node to the local node
Run Directory	/
Run Command	echo password \| /home/omm/haf-install/haf-target/tools/haf-tool cert --server ca_server_ip --path ca_server_path --user ca_server_user --revoke
Whether to Check Return Code	Yes
Expected Return Code	0

The following steps use the offload nodes with the HAF service as an example. For host nodes and the offload nodes with the HAF library, perform similar steps.

The following describes how to import the CRL file to an offload node.

Transfer the CRL file to offload nodes.

Parameter	Description
Task Name	Transferring the CRL file to offload nodes
Task Description	Transferring the CRL file to offload nodes
Transfer Direction	From Local to Remote
Local Path	/xx/xx/ca.crl
Remote Path	/home/omm/haf-install/haf-target/cert

Configure the permission of the ca.crl file.

Parameter	Description
Task Name	Configuring the permission of the ca.crl file
Task Description	Configuring the permission of the ca.crl file
Run Directory	/
Run Command	chmod 600 /home/omm/haf-install/haf-target/cert/ca.crl
Whether to Check Return Code	Yes
Expected Return Code	0

crt_revoke.sh is the internal script for importing a CRL. It is stored in haf-tool/scripts of the installation directory and is invoked by haf_tool. The internal invoking commands are as follows:

cd tools/scripts

./crt_revoke.sh -i <ip_addr> -p <remote_path> -u <user_name> -t <cert_path>

After the command is executed, manually enter the password for logging in to the remote server.

**Table 2** Parameter description
Option	Description	Mandatory
-i <ip_addr>	IP address of the server where the CA node is located. It entered by the user and imported using haf_tool.	Yes
-p <remote_path>	Path for storing the CA node certificate. It entered by the user and imported using haf_tool.	Yes
-u <user_name>	User name of the server where the CA node is located. It entered by the user and imported using haf_tool.	Yes
-t <cert_path>	Path for storing the CRL. haf-tool uses the cert_path parameter in the configuration file to invoke this path.	√

crt_revoke.sh is an internal tool of the software. You are not advised to invoke it independently.

Parent topic: Service Management