[HDDS-7333] Implement support for certificate revocation - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: Security
Labels:
- certificate_revocation
- pki

Description

Our current code contains parts of the implementation that was driven by the design doc in ~~HDDS-2731~~. In the documentation in HDDS-7331 it is discussed why an other approach is more beneficial for us.
The goals here are based on the new proposed approach:

create CRL distribution endpoint in SCMs
add cRLDistributionPoints property to our internal certificates
internalize the revocation logic inside SCMs
add CLI for certificate revocation
integrate certificate revocation check based on the CRL distribution points where needed
handle renewal, revoke and remove old certificate

Attachments

Issue Links

blocks

HDDS-7331 Ozone PKI improvements

Open

is duplicated by

HDDS-105 SCM CA: Handle CRL

Resolved

relates to

HDDS-10889 Remove certificate revocation related code.

Resolved

Sub-Tasks

1.	Create a CRL endpoint in SCM	Open	István Fajth
2.	Include SCM{s)'s cRLDisributionPoint to the certificates used internally	Open	István Fajth
3.	Re-organize existing certificate revocation logic in the current codebase	Open	István Fajth
4.	Add CLI to initiate certificate revocation	Open	István Fajth
5.	Owned certificate's revocation check for services	Open	István Fajth
6.	Revoke old certificate once a service renews its certificate	Open	István Fajth
7.	Root CA certificate revocation	Open	István Fajth
8.	Subordinate CA certificate revocation	Open	István Fajth

Activity

People

Assignee:: István Fajth

Reporter:: István Fajth

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 14/Oct/22 21:24

Updated:: 21/May/24 09:57