Details
-
New Feature
-
Status: Resolved
-
Normal
-
Resolution: Done
-
None
-
Froyo
-
5
-
Froyo - 03/24/2021, Froyo - 04/7/2021, Froyo - 04/21/2021, Froyo - 05/05/2021, Froyo - 05/19/2021, Froyo - 06/02/2021
-
Major
-
7,500
-
New Feature
-
-
Needs Assessment
Description
When running the Puppet CA as a subordinate of an external root, the revocation lists published by the external CA chain must be kept up to date. Most upstream CAs operate with a short interval between CRL updates. For example, Active Directory Certificate Services defaults to publishing new CRLs on a one-week cadence. If an externally published CRL expires, then certificate validation within the Puppet infrastructure will fail.
In order to facilitate updates of external CRLs, the Puppet CA API should accept revocation list uploads and handle the details of adding them to the right ca_crl and infrastructure_crl files along with distribution to other Puppet components. Providing an API for this yields some important benefits:
- Locating and retrieving an updated CRL from a distribution point can involve several finicky details around protocols and credentials used to access the update. Adding a CRL update API allows this complextity to be delegated to an external script that runs as a scheduled task or cron job.
- Adding an API endpoint allows Puppet Server to appropriately serialize updates to its on-disk CRL files with respect to concurrent revocation activity around Puppet agent certificates. This addresses the potential for CRL file corruption that would occur if an external update process wrote directly to the files.
- Logging around CRL refresh activity is written to the Puppet Server access log in an easily parsed format.
Acceptance criteria:
- HTTPS endpoint in the puppet-ca/v1 API that receives a POST to consume CRL updates on the /certificate_revocation_list resource.
- Should use the same tk-auth rules as the existing CA admin endpoints.
- Writes a new CRL file (given chain + local CA CRL) to be used by the server & CA. All uses should be satisfied by writing the CRLs to disk at the location the CA writes it during revocations.
- Including the infra-crl pem.
- Should not cause race conditions with existing revocations (utilizes existing CRL write lock).
- Logs that it has received CRLs and updated the CRL file at INFO level.
Docs: see DOC-4999
- Add details based on the API decisions made in
SERVER-2961. Docs for the existing certificate_revocation_list endpoint: https://github.com/puppetlabs/osp-docs/blob/latest-preview/server/http_certificate_revocation_list.md - Document how to use the new CRL update endpoint as part of the "how to setup an intermediate CA" documentation.
Attachments
Issue Links
- relates to
-
SERVER-3033 Ensure CRL update endpoint is accessible
-
- Resolved
-
-
SERVER-3031 Prep demo of CRL update endpoint
-
- Resolved
-
-
-
- Closed
-
-
-
- Resolved
-
1.
|
Implement CA API to take updated upstream CRLs |
|
Closed | Molly Waggett |
2.
|
Document CRL update endpoint |
|
Closed | Unassigned |
