tchernobog
commented
1 month ago Additionally, the certificate is shown as revoked by the UI even though a call to pki/cert/:serial still reports it as not revoked!
Open tchernobog opened 1 month ago
tchernobog
commented
1 month ago Additionally, the certificate is shown as revoked by the UI even though a call to pki/cert/:serial still reports it as not revoked!
This is a follow-up of https://github.com/hashicorp/vault/issues/19452.
Is your feature request related to a problem? Please describe.
This is for embedded software development.
We use the Vault PKI to sign software releases. Releases themselves are signed by a certificate which has a very short expiration date (hours), since they should not be used for anything else than signing the current release and then the private key is thrown away.
If however we have a software release which is deemed insecure, we use the CRL to block software updates to that version. Since a CVE / security finding can happen at any point in the years (!) to come, we need to be able to revoke an already expired certificate.
Describe the solution you'd like
We would like an optional parameter to the
/pki/revokeendpoint which skips the expiration check incrl_util.go.Alternatively, it might be even better and even easier to augment
/pki/config/crlto a boolean optionallow_expired_cert_revocation.Describe alternatives you've considered
Extending the lifetime of the code signing certificate to match the intermediate. However, since also intermediates are rotated on a yearly or 6-months basis, we still have the same issue as any leaf certificate expiration will be bounded by that, and a revocation can happen far later.
We can obviously use
/pki/issuer/:issuer_ref/sign-revocation-listand maintain that ourselves.Else we would need to sign the "CRL" with a detached signature (and handle that in code).
Explain any additional use-cases
See https://github.com/hashicorp/vault/issues/19452.
Additional context
N/A