The revoke endpoint for EJBCA will merrily revoke any cert for which you have the Serial Number. Vault 'PKI', on the other hand, requires the private key to be presented to revoke.
We consider this desired functionality: without accepting and validating the private key it would allow anyone with access to the endpoint and knowledge of a cert's serial number to revoke that cert. This is a problem as we expose multiple roles to generate certs and expect that we can only revoke for certificates in our possession.
The revoke endpoint for EJBCA will merrily revoke any cert for which you have the Serial Number. Vault 'PKI', on the other hand, requires the private key to be presented to revoke.
We consider this desired functionality: without accepting and validating the private key it would allow anyone with access to the endpoint and knowledge of a cert's serial number to revoke that cert. This is a problem as we expose multiple roles to generate certs and expect that we can only revoke for certificates in our possession.