Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two PKI improvements: #5134

Merged
merged 1 commit into from
Aug 21, 2018
Merged

Two PKI improvements: #5134

merged 1 commit into from
Aug 21, 2018

Conversation

jefferai
Copy link
Member

  • Disallow adding CA's serial to revocation list
  • Allow disabling revocation list generation. This returns an empty (but
    signed) list, but does not affect tracking of revocations so turning it
    back on will populate the list properly.

@jefferai
Two PKI improvements:
01c5882 
* Disallow adding CA's serial to revocation list
* Allow disabling revocation list generation. This returns an empty (but
signed) list, but does not affect tracking of revocations so turning it
back on will populate the list properly.
@jefferai jefferai added this to the 0.11 milestone Aug 17, 2018
@jefferai jefferai mentioned this pull request Aug 17, 2018
Closed
Xopherus
Xopherus reviewed Aug 20, 2018
View reviewed changes
website/source/api/secret/pki/index.html.md

~> Note: Disabling the CRL does not affect whether revoked certificates are
stored internally. Certificates that have been revoked when a role's
certificate storage is enabled will continue to be marked and stored as
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The certificate store shouldn't be a bottleneck because each cert is stored in a different k/v pair in the Consul storage backend - whereas the CRL is stored in a single k/v pair? Is that right @jefferai ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right.

@jefferai jefferai merged commit b54b264 into master Aug 21, 2018
@jefferai jefferai deleted the crl-disabling branch August 21, 2018 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Xopherus Xopherus Xopherus left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.11
Development

Successfully merging this pull request may close these issues.
2 participants
@jefferai @Xopherus