Revoke of a Certificate

djkormo / adcs-issuer

BSD 3-Clause "New" or "Revised" License

16 stars 8 forks source link

Revoke of a Certificate #93

Open tal-hason opened 1 month ago

tal-hason commented 1 month ago

Hi, I am currently implementing the adcs plugin with cert-manager, and I can't see any reference to revoking certificates when deleting the certificate item from the cluster.

djkormo commented 3 weeks ago

What is your scenario ? You delete certificate object from kubernetes and certificate in ADCS is still active ?

tal-hason commented 3 weeks ago

Yes, after we removed the certificate item, we checked in the adcs and it was still present...

djkormo commented 3 weeks ago

The current version does not support revoking certificates.

Certificate object on kubernetes is controller by cert-manager itself. Adcs issuer is only using certificaterequest on its loop and creates adcsrequest as dedicated resource (one to one) to store information about certificate id from adcs service.
We can try to make implementation when certificaterequest and its child adcsrequest are deleted to prepare call to revoke certificate from adcs service. I can prepare dedicated finalizer on adcsrequest objects to do it. It could be an option controlled via the dedicated configmap.
I have to find how to revoke certificate via adcs api.

tal-hason commented 3 weeks ago

Thanks, on the update, that option will be a great feature.

I will try to look over the API of the adcs to see if can assist what needs to be done to revoke a certificate.

djkormo commented 3 weeks ago

https://learn.microsoft.com/en-us/answers/questions/1664586/can-i-revoke-an-ssl-certificate-using-api-calls-to

tal-hason commented 3 weeks ago

So, from the link you shared it looks like it's possible. If the current implementation is using the COM interface.

then you can use:

ICertAdmin::RevokeCertificate

COM interface to automate certificate

https://learn.microsoft.com/en-us/windows/win32/api/certadm/nf-certadm-icertadmin-revokecertificate

tal-hason commented 3 weeks ago

I don't remember if there is any location that holds the serial number of the created certificate, but it can be stored as annotation or in a field in the status.

djkormo commented 3 weeks ago

Here you have this field https://github.com/djkormo/adcs-issuer/blob/master/api/v1/adcsrequest_types.go#L55

The current implementation uses https with ntlm support.

djkormo commented 3 weeks ago

To check if it is possible from the implementation https://stackoverflow.com/questions/37781676/how-to-use-com-component-object-model-in-golang https://support.hypr.com/hc/en-us/articles/6051850391053-Revoke-a-Certificate-Using-the-Certutil-Command https://github.com/zzl/go-com