e388cfec64
* Refactor serial creation to common helper Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add BYOC revocation to PKI mount This allows operators to revoke certificates via a PEM blob passed to Vault. In particular, Vault verifies the signature on the certificate from an existing issuer within the mount, ensuring that one indeed issued this certificate. The certificate is then added to storage and its serial submitted for revocation. This allows certificates generated with no_store=true to be submitted for revocation afterwards, given a full copy of the certificate. As a consequence, all roles can now safely move to no_store=true (if desired for performance) and revocation can be done on a case-by-case basis. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add docs on BYOC revocation Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add PEM length check to BYOC import Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add tests for BYOC Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Guard against legacy CA bundle usage This prevents usage of the BYOC cert on a hybrid 1.10/1.12 cluster with an non-upgraded CA issuer bundle. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
4 lines
152 B
Plaintext
4 lines
152 B
Plaintext
```release-note:improvement
|
|
secrets/pki: Allow revocation of certificates with explicitly provided certificate (bring your own certificate / BYOC).
|
|
```
|