Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2550

The CA API should accept CRL updates

    XMLWordPrintable

    Details

    • Template:
    • Team:
      Froyo
    • Story Points:
      5
    • Sprint:
      Froyo - 03/24/2021, Froyo - 04/7/2021, Froyo - 04/21/2021, Froyo - 05/05/2021, Froyo - 05/19/2021, Froyo - 06/02/2021
    • CS Priority:
      Major
    • CS Rank:
      7,500
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      Added a new API endpoint `PUT /puppet-ca/v1/certificate_revocation_list` that accepts a list of CRL PEMs as a body, and updates the matching CRLs saved on disk if the submitted ones have a higher CRL number than their counterparts on disk. Cannot be used to update the CRL associated with the Puppet CA signing cert (just earlier ones in the cert chain). This is for use by customers treating the Puppet CA as an intermediate signing CA for their corporate PKI, whose CRLs require frequent updating.
      Show
      Added a new API endpoint `PUT /puppet-ca/v1/certificate_revocation_list` that accepts a list of CRL PEMs as a body, and updates the matching CRLs saved on disk if the submitted ones have a higher CRL number than their counterparts on disk. Cannot be used to update the CRL associated with the Puppet CA signing cert (just earlier ones in the cert chain). This is for use by customers treating the Puppet CA as an intermediate signing CA for their corporate PKI, whose CRLs require frequent updating.
    • QA Risk Assessment:
      Needs Assessment

      Description

      When running the Puppet CA as a subordinate of an external root, the revocation lists published by the external CA chain must be kept up to date. Most upstream CAs operate with a short interval between CRL updates. For example, Active Directory Certificate Services defaults to publishing new CRLs on a one-week cadence. If an externally published CRL expires, then certificate validation within the Puppet infrastructure will fail.

      In order to facilitate updates of external CRLs, the Puppet CA API should accept revocation list uploads and handle the details of adding them to the right ca_crl and infrastructure_crl files along with distribution to other Puppet components. Providing an API for this yields some important benefits:

      • Locating and retrieving an updated CRL from a distribution point can involve several finicky details around protocols and credentials used to access the update. Adding a CRL update API allows this complextity to be delegated to an external script that runs as a scheduled task or cron job.
      • Adding an API endpoint allows Puppet Server to appropriately serialize updates to its on-disk CRL files with respect to concurrent revocation activity around Puppet agent certificates. This addresses the potential for CRL file corruption that would occur if an external update process wrote directly to the files.
      • Logging around CRL refresh activity is written to the Puppet Server access log in an easily parsed format.

      Acceptance criteria:

      • HTTPS endpoint in the puppet-ca/v1 API that receives a POST to consume CRL updates on the /certificate_revocation_list resource.
      • Should use the same tk-auth rules as the existing CA admin endpoints.
      • Writes a new CRL file (given chain + local CA CRL) to be used by the server & CA. All uses should be satisfied by writing the CRLs to disk at the location the CA writes it during revocations.
      • Should not cause race conditions with existing revocations (utilizes existing CRL write lock).
      • Logs that it has received CRLs and updated the CRL file at INFO level.

      Docs: see DOC-4999

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              maggie Maggie Dreyer
              Reporter:
              chuck Charlie Sharpsteen
              Votes:
              2 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support