Open xunholy opened 3 years ago
jakexks
commented
3 years ago Hi @xUnholy
If you have enabled CRL in your CA Pool, issued certificates should already contain the CRL distribution endpoint which is managed by Google. It's not an extension that is included in certificate requests, it's the reponsibility of the CA (Google's CAS only supports CRL for enterprise tier CA pools).
Are you intending to run your own OCSP responder?
sanjayanz
commented
3 years ago Hi, We would like to understand how validation of certificates can be done against the CRL (storage bucket) using cert-manager. There is a bespoke design using CloudRun (operating as OSCP) and storage buckets here - https://github.com/GoogleCloudPlatform/gcp-ca-service-ocsp, which addresses this. However, we were hoping cert-manager can handle the revocation validation, in addition to issuance and renewals.
It's my understanding to use the CAS CRL I would need to configure cert-manager to support the ocsp server which is available in the native cert-manager configuration however not supported in this plugin issuer
native capability https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CAIssuer
plugin https://github.com/jetstack/google-cas-issuer/blob/38289b08eff47f94570e394755510dd4cacafd0b/api/v1beta1/googlecasissuer_types.go#L28