Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support crlDistributionPoints & ocspServers #53

Open
xunholy opened this issue Sep 29, 2021 · 2 comments
Open

Support crlDistributionPoints & ocspServers #53

xunholy opened this issue Sep 29, 2021 · 2 comments
Labels
triage/support Indicates an issue that is a support question.

Comments

@xunholy
Copy link

xunholy commented Sep 29, 2021

It's my understanding to use the CAS CRL I would need to configure cert-manager to support the ocsp server which is available in the native cert-manager configuration however not supported in this plugin issuer

native capability
https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CAIssuer

plugin
https://github.com/jetstack/google-cas-issuer/blob/38289b08eff47f94570e394755510dd4cacafd0b/api/v1beta1/googlecasissuer_types.go#L28

@jakexks jakexks added the triage/support Indicates an issue that is a support question. label Sep 30, 2021
@jakexks
Copy link
Member

jakexks commented Sep 30, 2021

Hi @xunholy

If you have enabled CRL in your CA Pool, issued certificates should already contain the CRL distribution endpoint which is managed by Google. It's not an extension that is included in certificate requests, it's the reponsibility of the CA (Google's CAS only supports CRL for enterprise tier CA pools).

Are you intending to run your own OCSP responder?

@sanjayanz
Copy link

Hi,
We would like to understand how validation of certificates can be done against the CRL (storage bucket) using cert-manager. There is a bespoke design using CloudRun (operating as OSCP) and storage buckets here - https://github.com/GoogleCloudPlatform/gcp-ca-service-ocsp, which addresses this. However, we were hoping cert-manager can handle the revocation validation, in addition to issuance and renewals.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
triage/support Indicates an issue that is a support question.
Projects
None yet
Development

No branches or pull requests

3 participants