Add new API to PKI to list revoked certificates #17779

stevendpclark · 2022-11-02T18:18:57Z

A new API that will return the list of serial numbers of revoked certificates on the local cluster.

❯ curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request LIST \
    http://127.0.0.1:8200/v1/pki_int/certs/revoked | jq
{
  "request_id": "e221b49c-6c28-0b08-30dc-e2dd2f37d077",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": {
    "keys": [
      "3d:80:91:c3:c2:34:3b:81:69:3d:92:a3:80:69:db:53:04:26:ab:b4"
    ]
  },
  "wrap_info": null,
  "warnings": null,
  "auth": null
}

- A new API that will return the list of serial numbers of revoked certificates on the local cluster.

cipherboy · 2022-11-03T16:05:11Z

website/content/api-docs/secret/pki.mdx

+
+| Method | Path              |
+|:-------|:------------------|
+| `LIST`  | `/certs/revoked`  |


Oops yup will fix this, thanks for catching it!

cipherboy · 2022-11-03T16:07:30Z

builtin/logical/pki/storage.go

@@ -1216,3 +1216,12 @@ func (sc *storageContext) writeAutoTidyConfig(config *tidyConfig) error {

 	return sc.Storage.Put(sc.Context, entry)
 }
+
+func (sc *storageContext) listRevokedCerts() ([]string, error) {


Ah cool, we should use this elsewhere eventually :)

cipherboy · 2022-11-03T16:18:34Z

builtin/logical/pki/backend_test.go

+	requireSuccessNonNilResponse(t, resp, err, "error revoking cert 2")
+
+	// Test that we get back the expected serial numbers.
+	resp, err = CBList(b, s, "certs/revoked")


Wanna also make sure we see these serial numbers in the regular list too?

By regular list are you referring to LIST /certs?

Pefect, looks great!

Add new API to PKI to list revoked certificates

037a5c1

- A new API that will return the list of serial numbers of revoked certificates on the local cluster.

stevendpclark added the secret/pki label Nov 2, 2022

stevendpclark added this to the 1.13.0-rc1 milestone Nov 2, 2022

stevendpclark requested review from kitography, cipherboy and a team November 2, 2022 18:18

Add cl

9d42ba5

cipherboy reviewed Nov 3, 2022

View reviewed changes

cipherboy approved these changes Nov 3, 2022

View reviewed changes

PR feedback

e5a330e

vercel bot deployed to Preview November 3, 2022 17:31 View deployment

stevendpclark merged commit 4df5979 into main Nov 3, 2022

stevendpclark deleted the stevendpclark/vault-9719-list-revoked-certs branch November 3, 2022 18:17

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add new API to PKI to list revoked certificates #17779

Add new API to PKI to list revoked certificates #17779

stevendpclark commented Nov 2, 2022

cipherboy Nov 3, 2022

stevendpclark Nov 3, 2022

cipherboy Nov 3, 2022

cipherboy Nov 3, 2022

stevendpclark Nov 3, 2022

cipherboy Nov 3, 2022

cipherboy Nov 3, 2022

Add new API to PKI to list revoked certificates #17779

Add new API to PKI to list revoked certificates #17779

Conversation

stevendpclark commented Nov 2, 2022

cipherboy Nov 3, 2022

Choose a reason for hiding this comment

stevendpclark Nov 3, 2022

Choose a reason for hiding this comment

cipherboy Nov 3, 2022

Choose a reason for hiding this comment

cipherboy Nov 3, 2022

Choose a reason for hiding this comment

stevendpclark Nov 3, 2022

Choose a reason for hiding this comment

cipherboy Nov 3, 2022

Choose a reason for hiding this comment

cipherboy Nov 3, 2022

Choose a reason for hiding this comment