as a user I need to be able to revoke a compromised certificate
pulp3 with certguard as a content guard
In the event a host on my network is compromised, I would like to be able to revoke its specific cert since it can no longer be trusted.
To do this, the certguard plugin probably needs to support a certificate revocation list (crl). Otherwise, it will blindly trust any cert signed by it.
The CRL effectively allows you to revoke one specific cert. The current work around is to generate a new CA and distribute new certs to all the non-compromised hosts, publish a new content end point protected by the new CA, then destroy the old CA.
Obviously this is much more work than simply having a list of 'known bad' individual certs (barring completely insane scenarios) and blocking them. It is also faster from a system compromised to system locked out of other systems perspective.
In my experience (both days) of using certguard, the easy_rsa tool chain is quite usable. I am currently using a CA and certs generated by it with yum. eashy_rsa already supports CRL as part of its tooling. So there might not be a lot of work that has to happen beyond teaching certguard where too look for the list.
This might be easier than I expected.
Please register to edit this issue