Add Certificate Revocation List

[aschor]

Hello

Having a gui to create certificates is super nice. the server certificate is available to download and use with nginx (after copying it) or caddy (directly in configuration) or whatever.

But I am wondering : how to handle when you delete a certificate, for it to not work anymore ? It seems to me that it should be added to a CRL, also available to download and to use by proxy servers am I right ? (note : it seems that nginx needs to see all CA certificates in the chain in the CRL - unrevoked off course - for the CRL to work ; see : https://stackoverflow.com/questions/17086934/nginx-unable-to-get-certificate-crl)

for now, deleting a certificate will not invalidate it, making it a security risk IMO

nginx can handle CRLs with :

      ssl_verify_client optional;
      ssl_client_certificate /etc/nginx/server.crt;

caddy can handle it via a pluggin (I've not tested it) : https://github.com/gr33nbl00d/caddy-revocation-validator

[7ritn]

Yeah I considered adding it. Main stopping reason is that I use caddy and it does not support it natively, which would mean I would have to have a custom Containerfile. But yeah I can add it

[7ritn]

Would you also be interested in OCSP validation or only CRL?

[7ritn]

Both OCSP as well as CRL don't really seem to be properly supported by the openssl crate, making it's implementation difficult. Other implementations found:

OCSP: https://crates.io/crates/x509-ocsp (but proper release 0.3 is still outstanding)
CRL: https://github.com/RustCrypto/formats/tree/master/x509-cert

I did try some experimenting to get the CRL to work, but getting dependencies right is confusing.

[7ritn]

I will have to wait to implement this feature until the dependencies are updated. Most are in a release candidate state, so hopefully I can continue soon.

[7ritn]

Interesting PR to bring CRL to openssl: rust-openssl/rust-openssl#2174
Otherwise can use rcgen to generate CRLs.

[mplogas]

Hi,
is CRL/OSCP still on your TODO list or did you have to drop it since it's not properly supported yet?

Anyway, thanks for your tool, love it so far!

[7ritn]

I still would like to do it, but the respective projects don't seem to add support for it. I will try to get support for it this year even if no progress is made there.