CRL for ssh cert is not supported

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.

https://smallstep.com/certificates

Apache License 2.0

6.6k stars 431 forks source link

CRL for ssh cert is not supported #1679

Closed gangxie112 closed 7 months ago

gangxie112 commented 8 months ago

Hello!

Vote on this issue by adding a 👍 reaction
If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Why is this needed?

It seems that this is not CRL supported for ssh. I tried to revoke a ssh cert, and could found the revoked record in revoked_ssh_certs. But I tried to get CRL from /1.0/crl. The response shows that "No Revoked Certificates.". So, ssh CRL is not supported? and do we have the plan about it?

gangxie112 commented 8 months ago

Checked the latest code, record in revoked_ssh_certs is only used to prevent renew cert.

hslatman commented 7 months ago

Hey @gangxie112, you're correct, we currently only support CRLs for X509 certificates. We haven't had this request many times before and at this time we don't have the resources to add SSH CRLs (KRLs) support ourselves. However, we're open to a community contribution here, similar to how X509 CRLs was implemented by someone from the user community.

There's an existing issue that I think covers what you're looking for: https://github.com/smallstep/certificates/issues/256. I'm closing this issue in favor of that one. Feel free to reopen if you think this issue is warranted.