From 7850f0e05e3b4d1bf25156585557c0305cc96e35 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@hashicorp.com>
Date: Tue, 24 Jan 2023 10:30:50 -0500
Subject: [PATCH] Ensure unified_crl requires auto_rebuild (#18819)

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---
 builtin/logical/pki/path_config_crl.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/builtin/logical/pki/path_config_crl.go b/builtin/logical/pki/path_config_crl.go
index 050d90c5f..efbff21f3 100644
--- a/builtin/logical/pki/path_config_crl.go
+++ b/builtin/logical/pki/path_config_crl.go
@@ -257,6 +257,10 @@ func (b *backend) pathCRLWrite(ctx context.Context, req *logical.Request, d *fra
 		return logical.ErrorResponse("unified_crl cannot be enabled on local mounts."), nil
 	}
 
+	if !config.AutoRebuild && config.UnifiedCRL {
+		return logical.ErrorResponse("unified_crl=true requires auto_rebuild=true, as unified CRLs cannot be rebuilt on every revocation."), nil
+	}
+
 	entry, err := logical.StorageEntryJSON("config/crl", config)
 	if err != nil {
 		return nil, err