certera-io / certera

A central validation server for Let's Encrypt certificates
https://docs.certera.io
Other
72 stars 14 forks source link

Certificate revocation #4

Closed carloscarnero closed 4 years ago

carloscarnero commented 4 years ago

Does the action of deleting a certificate via the UI will request a revocation? If not, what should be the procedure?

certeraio commented 4 years ago

Hi @carloscarnero

Deleting does not currently issue a revocation against Let's Encrypt servers. I've thought a little about this, but not too much. Revocation has some problems of their own, but that doesn't mean it can't still be used. Here's more info from the LE site: https://letsencrypt.org/docs/revoking/

I'm thinking that a checkbox on the delete page will allow you to choose to revoke on deleting. If checked, it will perform the revocation call. If not, it'll simply delete it. How does that sound?

carloscarnero commented 4 years ago

I'm thinking that a checkbox on the delete page will allow you to choose to revoke on deleting. If checked, it will perform the revocation call. If not, it'll simply delete it. How does that sound?

From where I stand, adding that will make certera able to cover the whole certificate lifecycle. It'd be great, IMO.

certeraio commented 4 years ago

On second thought, I'm not sure I like it on the delete page anymore.

I'd like to incorporate getting the OCSP result from the issuer so you can validate that it's been revoked. If you delete the cert, you'll lose the ability to view/verify OCSP status. Perhaps, a better solution would be to make the revocation not part of delete, but on the certificate page itself. For example, when viewing the details of a certificate (the page where it shows the API keys and the history of changes), there should be an option to view the OCSP response from the CA. You can also perform revocation there on the page (and subsequently re-validate the OCSP response). If all is as expected, then you can proceed to deleting as you see fit.

Let me mull over it so things are consistent and gives the most flexible experience for everyone. I'll get back to you soon.

certeraio commented 4 years ago

@carloscarnero

Please check out version 2.1.0-beta here: https://github.com/certera-io/certera/releases/tag/2.1.0-beta

It has the OCSP check and revocation ability on the certificate page. Please give that a try and let me know what you think.

carloscarnero commented 4 years ago

It has the OCSP check and revocation ability on the certificate page. Please give that a try and let me know what you think.

I can confirm that both OCSP checks and certificate revocation work correctly! (I tried it on two different certs.) Thank you!

certeraio commented 4 years ago

Thanks for confirming!