You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Nick Sullivan edited this page Oct 11, 2015
·
1 revision
It would be useful to have a permanent store for CFSSL/multirootca in the form of a postgres database. This database can also be used as a source of truth about the status of the issued certificates, including revocation status.
Create a database schema for certificates
Add issued certificates to the database
Some additional tools should be created for interacting with this database. Specifically:
revoke: a tool that takes a certificate or serial number, and the revocation reason and marks the certificate in the database as revoked
oscp: a tool that queries all unexpired certificates from the database and creates an OCSP response for each using the CFSSL OCSPSign API. The output is a file containing concatenated OCSP responses in a format that cfssl oscpserve can use.
crl: a tool that queries all unexpired certificates from the database and creates a CRL using CFSSL's crl endpoint.