search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
30.88k stars 4.18k forks source link

Undo of certificate revocation #11757

Open alexk-jh opened 3 years ago

alexk-jh commented 3 years ago

Is your feature request related to a problem? Please describe.

Assume that a certificate has been revoked by accident and that the certificate holder cannot easily replace it's certificate (e.g. a hardware device that cannot access its backend without a valid certificate and thus cannot renew its certificate, a backend service that would require rotation to function again, potentially causing a downtime). There seems to be no easy way to undo this right now.

Describe the solution you'd like Add an HTTP endpoint to the API that allows "un-revocation" by specifying the serial number of the certificate. It should update the internal bookkeeping such that the certificate is no longer treated as revoked and automatically re-generate the CRL.

Describe alternatives you've considered The only thing that comes to mind is somehow manually modifying vault's storage backend/database but that seems very dangerous. Perhaps there is another way but I haven't found it...

Explain any additional use-cases None

Additional context None

vishalnayak commented 3 years ago

Thank you for submitting the request! For those others who are interested in this, please stick a 👍 on the issue.

We will review the requests internally and assess its feasibility.