Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revoke of a Certificate #93

Open
tal-hason opened this issue May 30, 2024 · 9 comments
Open

Revoke of a Certificate #93

tal-hason opened this issue May 30, 2024 · 9 comments
Assignees
@tal-hason
Labels
enhancement New feature or request

Comments

@tal-hason
Copy link

Hi, I am currently implementing the adcs plugin with cert-manager, and I can't see any reference to revoking certificates when deleting the certificate item from the cluster.
@tal-hason tal-hason changed the title Revoke of a dertificate Revoke of a Certificate May 30, 2024
@djkormo
Copy link
Owner

djkormo commented Jun 14, 2024

What is your scenario ? You delete certificate object from kubernetes and certificate in ADCS is still active ?

@tal-hason
Copy link
Author

Yes, after we removed the certificate item, we checked in the adcs and it was still present...

@djkormo
Copy link
Owner

djkormo commented Jun 15, 2024
edited
Loading

The current version does not support revoking certificates.

  1. Certificate object on kubernetes is controller by cert-manager itself. Adcs issuer is only using certificaterequest on its loop and creates adcsrequest as dedicated resource (one to one) to store information about certificate id from adcs service.
  2. We can try to make implementation when certificaterequest and its child adcsrequest are deleted to prepare call to revoke certificate from adcs service. I can prepare dedicated finalizer on adcsrequest objects to do it. It could be an option controlled via the dedicated configmap.
  3. I have to find how to revoke certificate via adcs api.

@tal-hason
Copy link
Author

Thanks, on the update, that option will be a great feature.

I will try to look over the API of the adcs to see if can assist what needs to be done to revoke a certificate.

@djkormo djkormo added the enhancement New feature or request label Jun 15, 2024
@djkormo
Copy link
Owner

djkormo commented Jun 15, 2024

https://learn.microsoft.com/en-us/answers/questions/1664586/can-i-revoke-an-ssl-certificate-using-api-calls-to

@tal-hason
Copy link
Author

So, from the link you shared it looks like it's possible. If the current implementation is using the COM interface.

then you can use:

ICertAdmin::RevokeCertificate

COM interface to automate certificate

https://learn.microsoft.com/en-us/windows/win32/api/certadm/nf-certadm-icertadmin-revokecertificate

@tal-hason
Copy link
Author

I don't remember if there is any location that holds the serial number of the created certificate, but it can be stored as annotation or in a field in the status.

@djkormo
Copy link
Owner

djkormo commented Jun 15, 2024
edited
Loading

Here you have this field
https://github.com/djkormo/adcs-issuer/blob/master/api/v1/adcsrequest_types.go#L55

The current implementation uses https with ntlm support.

@djkormo
Copy link
Owner

djkormo commented Jun 15, 2024
edited
Loading

To check if it is possible from the implementation
https://stackoverflow.com/questions/37781676/how-to-use-com-component-object-model-in-golang
https://support.hypr.com/hc/en-us/articles/6051850391053-Revoke-a-Certificate-Using-the-Certutil-Command
https://github.com/zzl/go-com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tal-hason tal-hason

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@djkormo @tal-hason