open-vault/changelog/20253.txt at b74e4bc781e96beeb2c9cfacc1d57e5b6711caad - luxolus/open-vault - Stateless Git Forge

luxolus/open-vault

Alexander Scheel 189a776307

Add warnings to crl rebuilds, allowing notifying operator of empty issuer equivalency sets (#20253 )

* Add infrastructure for warnings on CRL rebuilds

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning on issuer missing KU for CRL Signing

When an entire issuer equivalency class is missing CRL signing usage
(but otherwise has key material present), we should add a warning so
operators can either correct this issuer or create an equivalent version
with KU specified.

Resolves: https://github.com/hashicorp/vault/issues/20137

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for issuer warnings

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix return order of CRL builders

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

2023-04-19 16:55:37 +00:00

4 lines

137 B

Plaintext

Raw Blame History

	```release-note:improvement
	`secrets/pki: Add warning when issuer lacks KeyUsage during CRL rebuilds; expose in logs and on rotation.`
	```