Details
-
Improvement
-
Status: Resolved
-
Normal
-
Resolution: Done
-
None
Description
When running the Puppet CA as a subordinate of an external root, the revocation lists and certificates that make up the external CA chain must be kept up to date. Most external CAs operate with a short interval between CRL updates. For example, Active Directory Certificate Services defaults to publishing new CRLs on a one-week cadence. If an externally published CRL expires or CA certificate expires, then certificate validation within the Puppet infrastructure will fail.
In order to alert operators to the impending expiration of a CA certificate or CRL entry, the Puppet Server status API should include these dates in its output. Then consumers of the API can flag certs visibly to administrators. If there is demand, we can add a separate flag to warn users in the API output itself.
Attachments
Issue Links
- relates to
-
SERVER-2535 CRL issue with Intermediate CA setup
-
- Closed
-