[renew-cert] Check for the existing cert's revocation

Arnavion / acme-azure-function

Azure Function that auto-renews TLS certificates using ACME v2

GNU Affero General Public License v3.0

2 stars 0 forks source link

[renew-cert] Check for the existing cert's revocation #3

Closed Arnavion closed 3 months ago

Arnavion commented 4 years ago

... not just its expiry time.

A crate like x509-parser can be used to get the OCSP URL. But there's no pure-Rust crate (ie, not openssl) to do OCSP, so the function would need to talk the OCSP protocol manually with something like der.

Ref:

X.680 - ASN.1
X.690 - ASN.1 BER and DER encodings
RFC6960 - OCSP , especially Appendix A for OCSP-over-HTTP

Arnavion commented 3 months ago

LE is planning to sunset OCSP in favor of CRLs.

But also, Let's encrypt confirmed here that ARI will return a suggested window of "right now" for a revoked cert, so there's no need to check revocation separately anyway.