PKI Tidy Revocation List optionally Tidy Revoked Certs that are Unexp…

…ired Removes added whitespace PKI Tidy, `tidy_revoked_certs` documentation
hashicorp · Jul 13, 2018 · 555b0c8 · 555b0c8
1 parent 4c55d28
commit 555b0c8
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/builtin/logical/pki/path_tidy.go b/builtin/logical/pki/path_tidy.go
@@ -31,6 +31,14 @@ the revocation list`,
 				Default: false,
 			},
 
+			"tidy_revoked_certs": &framework.FieldSchema{
+				Type: framework.TypeBool,
+				Description: `Set to true to expire all revoked
+certificates, even if their duration has not yet passed. This will cause these
+certificates to be removed from the CRL the next time the CRL is generated.`,
+				Default: false,
+			},
+
 			"safety_buffer": &framework.FieldSchema{
 				Type: framework.TypeDurationSecond,
 				Description: `The amount of extra time that must have passed
@@ -54,6 +62,7 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
 	safetyBuffer := d.Get("safety_buffer").(int)
 	tidyCertStore := d.Get("tidy_cert_store").(bool)
 	tidyRevocationList := d.Get("tidy_revocation_list").(bool)
+	tidyRevokedCerts := d.Get("tidy_revoked_certs").(bool)
 
 	if safetyBuffer < 1 {
 		return logical.ErrorResponse("safety_buffer must be greater than zero"), nil
@@ -163,7 +172,7 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
 						return errwrap.Wrapf(fmt.Sprintf("unable to parse stored revoked certificate with serial %q: {{err}}", serial), err)
 					}
 
-					if time.Now().After(revokedCert.NotAfter.Add(bufferDuration)) {
+					if tidyRevokedCerts || time.Now().After(revokedCert.NotAfter.Add(bufferDuration)) {
 						if err := req.Storage.Delete(ctx, "revoked/"+serial); err != nil {
 							return errwrap.Wrapf(fmt.Sprintf("error deleting serial %q from revoked list: {{err}}", serial), err)
 						}

diff --git a/website/source/api/secret/pki/index.html.md b/website/source/api/secret/pki/index.html.md
@@ -1532,6 +1532,10 @@ expiration time.
 - `tidy_revocation_list` `(bool: false)` Specifies whether to tidy up the
   revocation list (CRL).
 
+- `tidy_revoked_certs` `(bool: false)` Set to true to expire all revoked
+  certificates, even if their duration has not yet passed. This will cause these
+  certificates to be removed from the CRL the next time the CRL is generated.
+
 - `safety_buffer` `(string: "")` Specifies  A duration (given as an integer
   number of seconds or a string; defaults to `72h`) used as a safety buffer to
   ensure certificates are not expunged prematurely; as an example, this can keep