Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Offline rootCA Revocation List Upload #28747

Open
jackenbaer opened this issue Oct 22, 2024 · 0 comments
Open

Offline rootCA Revocation List Upload #28747

jackenbaer opened this issue Oct 22, 2024 · 0 comments
Labels
enhancement feature-request secret/pki

Comments

@jackenbaer
Copy link

Description:
When using an offline Root CA in HashiCorp Vault, it's not currently possible to revoke an intermediate CA properly, as there is no built-in API endpoint to upload a signed Certificate Revocation List (CRL). The offline Root CA model means that Vault cannot automatically sign and upload CRLs without manual intervention or external plugins like the ACME plugin. This makes it challenging to maintain CRL distribution and ensure proper revocation processes for Intermediate CAs.

Proposed Solution:
I suggest creating a new API endpoint that would allow users to manually upload a pre-signed CRL. This would facilitate better support for offline Root CAs without relying on external tools or plugins. By adding this feature, administrators could manually upload the signed CRL from their offline Root CA, which would then be distributed by Vault for certificate revocation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement feature-request secret/pki
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@miagilepner @jackenbaer