Certificate revocation

Question

Certificate revocation

carloscarnero opened this issue 4 years ago · comments

Carlos Alberto Carnero Delgado commented 4 years ago

Does the action of deleting a certificate via the UI will request a revocation? If not, what should be the procedure?

certeraio · Answer 1 · Wed May 13 2020 03:49:39 GMT+0800 (China Standard Time)

Deleting does not currently issue a revocation against Let's Encrypt servers. I've thought a little about this, but not too much. Revocation has some problems of their own, but that doesn't mean it can't still be used. Here's more info from the LE site: https://letsencrypt.org/docs/revoking/

I'm thinking that a checkbox on the delete page will allow you to choose to revoke on deleting. If checked, it will perform the revocation call. If not, it'll simply delete it. How does that sound?

Carlos Alberto Carnero Delgado · Answer 2 · Wed May 13 2020 04:06:23 GMT+0800 (China Standard Time)

I'm thinking that a checkbox on the delete page will allow you to choose to revoke on deleting. If checked, it will perform the revocation call. If not, it'll simply delete it. How does that sound?

From where I stand, adding that will make certera able to cover the whole certificate lifecycle. It'd be great, IMO.

certeraio · Answer 3 · Wed May 13 2020 04:20:40 GMT+0800 (China Standard Time)

On second thought, I'm not sure I like it on the delete page anymore.

I'd like to incorporate getting the OCSP result from the issuer so you can validate that it's been revoked. If you delete the cert, you'll lose the ability to view/verify OCSP status. Perhaps, a better solution would be to make the revocation not part of delete, but on the certificate page itself. For example, when viewing the details of a certificate (the page where it shows the API keys and the history of changes), there should be an option to view the OCSP response from the CA. You can also perform revocation there on the page (and subsequently re-validate the OCSP response). If all is as expected, then you can proceed to deleting as you see fit.

Let me mull over it so things are consistent and gives the most flexible experience for everyone. I'll get back to you soon.

certeraio · Answer 4 · Thu May 14 2020 03:05:14 GMT+0800 (China Standard Time)

@carloscarnero

Please check out version 2.1.0-beta here: https://github.com/certera-io/certera/releases/tag/2.1.0-beta

It has the OCSP check and revocation ability on the certificate page. Please give that a try and let me know what you think.

Carlos Alberto Carnero Delgado · Answer 5 · Thu May 14 2020 20:52:53 GMT+0800 (China Standard Time)

It has the OCSP check and revocation ability on the certificate page. Please give that a try and let me know what you think.

I can confirm that both OCSP checks and certificate revocation work correctly! (I tried it on two different certs.) Thank you!

certeraio · Answer 6 · Thu May 14 2020 22:47:26 GMT+0800 (China Standard Time)

Thanks for confirming!