google-cas-issuer icon indicating copy to clipboard operation
google-cas-issuer copied to clipboard

Published 20 hours ago verified publisher icon jetstack

Support crlDistributionPoints & ocspServers

Open xunholy opened this issue 3 years ago • 2 comments

It's my understanding to use the CAS CRL I would need to configure cert-manager to support the ocsp server which is available in the native cert-manager configuration however not supported in this plugin issuer

native capability https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CAIssuer

plugin https://github.com/jetstack/google-cas-issuer/blob/38289b08eff47f94570e394755510dd4cacafd0b/api/v1beta1/googlecasissuer_types.go#L28

xunholy avatar Sep 29 '21 23:09 xunholy

Hi @xUnholy

If you have enabled CRL in your CA Pool, issued certificates should already contain the CRL distribution endpoint which is managed by Google. It's not an extension that is included in certificate requests, it's the reponsibility of the CA (Google's CAS only supports CRL for enterprise tier CA pools).

Are you intending to run your own OCSP responder?

jakexks avatar Sep 30 '21 12:09 jakexks

Hi, We would like to understand how validation of certificates can be done against the CRL (storage bucket) using cert-manager. There is a bespoke design using CloudRun (operating as OSCP) and storage buckets here - https://github.com/GoogleCloudPlatform/gcp-ca-service-ocsp, which addresses this. However, we were hoping cert-manager can handle the revocation validation, in addition to issuance and renewals.

sanjayanz avatar Oct 06 '21 04:10 sanjayanz