Certificate Revocation List (CRL)/OCSP

VictoriaMetrics / VictoriaMetrics

VictoriaMetrics: fast, cost-effective monitoring solution and time series database

https://victoriametrics.com/

Apache License 2.0

12.28k stars 1.22k forks source link

Certificate Revocation List (CRL)/OCSP #7346

Open vmw-web opened 1 week ago

vmw-web commented 1 week ago

Is your question request related to a specific component?

VictoriaMetrics Certificate Revocation List (CRL)/OCSP

Describe the question in detail

Does VictoriaMetrics components support Certificate Revocation? looking for configuration parameters and documentation related to that.

If it is not supported, will this be addressed in the upcoming releases?

Troubleshooting docs

[ ] General - https://docs.victoriametrics.com/troubleshooting/
[ ] vmagent - https://docs.victoriametrics.com/vmagent/#troubleshooting
[ ] vmalert - https://docs.victoriametrics.com/vmalert/#troubleshooting

tiny-pangolin commented 1 week ago

I believe VictoriaMetrics uses the operating system's certificate store by default. Is it possible to add your CRL to the operating system's CA store so it can be used by VictoriaMetrics?

f41gh7 commented 1 week ago

Hello,

Currently, it's not possible to configure neither CRL nor OCSP.

golang standard library has oppened issue for OCSP support https://github.com/golang/go/issues/40017.

Meanwhile we could add CRL support, there is built-in function to check certificate https://pkg.go.dev/crypto/x509#RevocationList.CheckSignatureFrom

But for me, it make most sense for mTLS based connection with enabled client certificate check. Which is enterprise feature.