[
https://issues.apache.org/jira/browse/HDDS-7388?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
István Fajth updated HDDS-7388:
-------------------------------
Description:
We have an {{ozone admin cert}} command, which has a list and info subcommand.
We need to add a new subcommand here to revoke a certificate based on
certificateSerialID, and to revoke all certificates related to a host, ideally
we also should handle a list of certificateSerialIDs or hosts.
As revoking a certificate can happen in a future, we should also add an option
to revoke a certificate at a give time.
Further consideration will needed for immediate certificate revocation, as we
need to give some time for a service to notice if it is certificate is revoked,
so that it can renew it in time... This time window we give for an immediate
revocation should consider the timeframe since a CRL may be cached in clients,
and harmonize with that timeframe.
was:
We have an {{ozone admin cert}} command, which has a list and info subcommand.
We need to add a new subcommand here to revoke a certificate based on
certificateSerialID, and to revoke all certificates related to a host, ideally
we also should handle a list of certificateSerialIDs or hosts.
> Add CLI to initiate certificate revocation
> ------------------------------------------
>
> Key: HDDS-7388
> URL: https://issues.apache.org/jira/browse/HDDS-7388
> Project: Apache Ozone
> Issue Type: Sub-task
> Reporter: István Fajth
> Assignee: István Fajth
> Priority: Major
>
> We have an {{ozone admin cert}} command, which has a list and info subcommand.
> We need to add a new subcommand here to revoke a certificate based on
> certificateSerialID, and to revoke all certificates related to a host,
> ideally we also should handle a list of certificateSerialIDs or hosts.
> As revoking a certificate can happen in a future, we should also add an
> option to revoke a certificate at a give time.
> Further consideration will needed for immediate certificate revocation, as we
> need to give some time for a service to notice if it is certificate is
> revoked, so that it can renew it in time... This time window we give for an
> immediate revocation should consider the timeframe since a CRL may be cached
> in clients, and harmonize with that timeframe.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
