Project

Profile

Help

Story #4899

as a user I need to be able to revoke a compromised certificate

Added by Fah about 1 year ago. Updated 2 months ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Category:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:

Description

Environment:
pulp3 with certguard as a content guard

Details:
In the event a host on my network is compromised, I would like to be able to revoke its specific cert since it can no longer be trusted.

To do this, the certguard plugin probably needs to support a certificate revocation list (crl). Otherwise, it will blindly trust any cert signed by it.

The CRL effectively allows you to revoke one specific cert. The current work around is to generate a new CA and distribute new certs to all the non-compromised hosts, publish a new content end point protected by the new CA, then destroy the old CA.

Obviously this is much more work than simply having a list of 'known bad' individual certs (barring completely insane scenarios) and blocking them. It is also faster from a system compromised to system locked out of other systems perspective.

Potential fixes:
In my experience (both days) of using certguard, the easy_rsa tool chain is quite usable. I am currently using a CA and certs generated by it with yum. eashy_rsa already supports CRL as part of its tooling. So there might not be a lot of work that has to happen beyond teaching certguard where too look for the list.

References:
https://tools.ietf.org/html/rfc5280
https://github.com/OpenVPN/easy-rsa

History

#1 Updated by Fah about 1 year ago

This might be easier than I expected.

https://django-ca.readthedocs.io/en/latest/crl.html

#2 Updated by bmbouter 2 months ago

  • Category deleted (15)

We are simplifying the Category to remove pulp-admin. It wasn't meaningfully used. We are rethinking Categories that make sense for Pulp3 soon.

Please register to edit this issue

Also available in: Atom PDF