m8rmclaren
commented
4 months ago Hi @verdantvestibule!
Thank you for submitting this issue and bringing this vulnerability to our attention. This will be addressed in Version 1.2 in this PR.
Closed verdantvestibule closed 3 months ago
m8rmclaren
commented
4 months ago Hi @verdantvestibule!
Thank you for submitting this issue and bringing this vulnerability to our attention. This will be addressed in Version 1.2 in this PR.
The revoke endpoint for EJBCA will merrily revoke any cert for which you have the Serial Number. Vault 'PKI', on the other hand, requires the private key to be presented to revoke.
We consider this desired functionality: without accepting and validating the private key it would allow anyone with access to the endpoint and knowledge of a cert's serial number to revoke that cert. This is a problem as we expose multiple roles to generate certs and expect that we can only revoke for certificates in our possession.