boulder icon indicating copy to clipboard operation
boulder copied to clipboard
verified publisher icon letsencrypt

cert-checker: Detect if a certificate was issued by a revoked intermediate after the revocation time

Open pgporada opened this issue 2 years ago • 2 comments

The 2023 key ceremony is going to generate an intermediate, immediately revoke it, and never have it configured in Boulder, but we still need a plan for the eventuality of an active intermediate needing to be revoked.

pgporada avatar Aug 18 '23 18:08 pgporada

We discussed this in standup today and it was decided that cert-checker is the best place to do this kind of detection. Cert-checker will need to download each intermediate's CRL from the CRL Distribution Point each time it begins a run. For posterity that URL looks like this:

$ openssl x509 -in lets-encrypt-e1.der -inform der -noout -text | grep -A2 'X509v3 CRL Distribution Points:' | tail -n1 | awk -F'URI:' '{print $2}'
http://x2.c.lencr.org/

pgporada avatar Aug 22 '23 19:08 pgporada

In the event that an active intermediate was to be revoked, a rough guide of what to do is:

  1. Set useForRSALeaves and useForECDSALeaves to false in each CA in each datacenter as shown here. Do not remove any configuration about the intermediate from the CA, ocsp-responder, RA, WFE, etc.
  2. Restart all the CAs in each datacenter
  3. Revoke the intermediate
  4. Generate and sign a new CRL containing the revoked intermediate from the applicable root

The reasoning we would need to leave the disabled revoked intermediate in the CA config is that it's still necessary to generate CRLs for the end-entity certificates it had issued.

pgporada avatar Aug 22 '23 20:08 pgporada