Project

Profile

Help

Story #4899

as a user I need to be able to revoke a compromised certificate

Added by Fah 5 months ago. Updated 4 months ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Category:
pulp-admin
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Platform Release:
Blocks Release:
Backwards Incompatible:
No
Groomed:
No
Sprint Candidate:
No
Tags:
QA Contact:
Complexity:
Smash Test:
Verified:
No
Verification Required:
No
Sprint:

Description

Environment:
pulp3 with certguard as a content guard

Details:
In the event a host on my network is compromised, I would like to be able to revoke its specific cert since it can no longer be trusted.

To do this, the certguard plugin probably needs to support a certificate revocation list (crl). Otherwise, it will blindly trust any cert signed by it.

The CRL effectively allows you to revoke one specific cert. The current work around is to generate a new CA and distribute new certs to all the non-compromised hosts, publish a new content end point protected by the new CA, then destroy the old CA.

Obviously this is much more work than simply having a list of 'known bad' individual certs (barring completely insane scenarios) and blocking them. It is also faster from a system compromised to system locked out of other systems perspective.

Potential fixes:
In my experience (both days) of using certguard, the easy_rsa tool chain is quite usable. I am currently using a CA and certs generated by it with yum. eashy_rsa already supports CRL as part of its tooling. So there might not be a lot of work that has to happen beyond teaching certguard where too look for the list.

References:
https://tools.ietf.org/html/rfc5280
https://github.com/OpenVPN/easy-rsa

History

#1 Updated by Fah 4 months ago

This might be easier than I expected.

https://django-ca.readthedocs.io/en/latest/crl.html

Please register to edit this issue

Also available in: Atom PDF