Unify API auth + RFC-compliant CRL/OCSP (M-002 + M-003 + M-006, auto-closes M-001)

Closes the remaining P1 gaps from coverage-gap-audit.md (M-001/M-002/M-003/M-006) on top of the C-001/C-002 ownership + agent-FK contract fixes landed in 5c01c7f. The work lands as a single commit spanning server, docs, tests, and the React client. M-002 — Named API keys with per-key actor propagation * Migration 000014 adds the 'api_keys' table (id, name, hash, principal, role, created_at, last_used_at, disabled_at) so every credential carries an identifiable principal instead of the opaque 'anonymous'/'api-key' sentinel. * Auth middleware now rotates through configured keys, performs constant-time hash comparison, stamps 'last_used_at', and emits an actor struct via contextWithActor(). The audit middleware, bulk-revocation handler, approval handlers, and MCP tool layer now read the principal off the context and persist it on every audit_events row. * Regression coverage: - internal/api/middleware/audit_test.go — actor propagation, principal redaction for disabled keys, anonymous fallback for unauthenticated endpoints. - internal/api/handler/bulk_revocation_handler_test.go, job_handler_test.go — principal-on-audit assertions. M-003 — Authorization gates (Phase B) * Approval handler rejects self-approval / self-rejection with 403 when the actor principal equals the job's requested_by field. * Bulk revocation is gated behind the 'admin' role; operators and viewers receive 403. * Regression coverage: - internal/service/job_test.go — TestApproveJob_NotSelf, TestRejectJob_NotSelf. - internal/api/handler/bulk_revocation_handler_test.go — TestBulkRevoke_RequiresAdmin, TestBulkRevoke_AdminSucceeds. M-006 — RFC-compliant CRL/OCSP on the unauthenticated .well-known mux * Per RFC 8615, relying parties cannot reasonably be asked to authenticate against the issuing certctl instance to retrieve revocation material. CRL and OCSP move off the authenticated '/api/v1/crl*' and '/api/v1/ocsp/*' paths onto: GET /.well-known/pki/crl/{issuer_id} Content-Type: application/pkix-crl (RFC 5280 §5) GET /.well-known/pki/ocsp/{issuer_id}/{serial} Content-Type: application/ocsp-response (RFC 6960) * Non-standard JSON CRL shape is removed; only DER is served. * Short-lived certificate exemption (profile TTL < 1h → skip CRL/OCSP) is preserved; the response simply omits the serial. * Routes are registered on the unauthenticated 'finalHandler' mux in cmd/server/main.go alongside EST ('/.well-known/est/*') and SCEP ('/scep'). Legacy authenticated paths return 404. * Regression coverage: - internal/api/handler/certificate_handler_test.go — content type, DER parseability, 404 for unknown issuer. - internal/api/handler/adversarial_path_test.go — unauthenticated access asserted for CRL, OCSP, EST, SCEP. - internal/api/router/router_test.go — route-table assertion that '.well-known/pki/*', '.well-known/est/*', and '/scep' are mounted on the unauthenticated branch. M-001 — Auto-closed by M-002 EST and SCEP were already registered on the unauthenticated 'finalHandler' mux; the router comment at internal/api/router/router.go:247 now matches reality. The adversarial-path tests above lock the behavior in. Verification (all gates green): * go vet ./... — clean * go build ./... — ok * go test -short ./... (55+ packages) — all pass * web/ : npm test (225 Vitest tests) — all pass * web/ : npx tsc --noEmit — clean * grep sweep for '/api/v1/(crl|ocsp)' — 13 surviving hits, all intentional M-006 tombstone/relocation comments. Documentation: * coverage-gap-audit.md — status flips M-001/M-002/M-003/M-006 → Fixed, with per-finding resolution paragraphs citing regression test IDs. (Audit file lives outside this repo; see cowork root.) * CLAUDE.md Project Status line updated with the auth-unification closure note. * docs/features.md, docs/architecture.md, docs/quickstart.md, docs/concepts.md, docs/connectors.md, docs/test-env.md, docs/testing-guide.md, docs/compliance-*.md, docs/demo-advanced.md — refreshed for the new '.well-known/pki/*' namespace and named API keys. * api/openapi.yaml — documents the new unauthenticated endpoints and removes the legacy '/api/v1/crl*' + '/api/v1/ocsp/*' paths. .gitignore: adds '/.gocache/' and '/.gomodcache/' for the session- scoped Go caches so they never enter the tree.
2026-06-07 21:41:39 +00:00 · 2026-04-18 18:17:41 +00:00
parent 5c01c7f21f
commit 45361477ed
45 changed files with 1468 additions and 526 deletions
@@ -72,3 +72,7 @@ SECURITY_REMEDIATION.md
 .DS_Store
 Thumbs.db
 mcp-server
 # Local Go build/module caches (session-scoped, never committed)
 /.gocache/
 /.gomodcache/
@@ -29,7 +29,11 @@ tags:
  - name: Certificates
    description: Certificate lifecycle — CRUD, versions, renewal, deployment, revocation
  - name: CRL & OCSP
-    description: Certificate revocation list and OCSP responder
+    description: |
      Certificate revocation list (RFC 5280) and OCSP responder (RFC 6960).
      Served unauthenticated under `/.well-known/pki/*` (RFC 8615) so
      relying parties can retrieve revocation status without a certctl
      API key.
  - name: Issuers
    description: CA issuer connector management (Local CA, ACME, step-ca)
  - name: Targets
@@ -493,50 +497,28 @@ paths:
        "500":
          $ref: "#/components/responses/InternalError"
-  # ─── CRL & OCSP ─────────────────────────────────────────────────────
+  # ─── PKI (CRL & OCSP, RFC 5280 / 6960 / 8615) ──────────────────────
-  /api/v1/crl:
+  #
  # Relying parties (browsers, OpenSSL clients, OCSP stapling sidecars,
  # mTLS clients) cannot present a certctl Bearer token, so these two
  # endpoints are unauthenticated and live under the RFC 8615
  # `.well-known` namespace. They were previously mounted at
  # /api/v1/crl/{issuer_id} and /api/v1/ocsp/{issuer_id}/{serial}; those
  # paths were removed in M-006.
  #
  # The non-standard JSON CRL endpoint (GET /api/v1/crl) was also
  # removed — RFC 5280 defines only the DER wire format.
  /.well-known/pki/crl/{issuer_id}:
    get:
      tags: [CRL & OCSP]
-      summary: Get JSON CRL
+      summary: Get DER-encoded X.509 CRL (RFC 5280)
-      description: Returns all revoked certificates in JSON format.
+      description: |
-      operationId: getCRL
+        Returns a DER-encoded CRL signed by the issuing CA (RFC 5280 §5),
-      responses:
+        served unauthenticated per RFC 8615 `.well-known` semantics so
-        "200":
+        relying parties can retrieve it without a certctl API key.
-          description: JSON CRL
+        Validity is 24 hours.
          content:
            application/json:
              schema:
                type: object
                properties:
                  version:
                    type: integer
                    example: 1
                  entries:
                    type: array
                    items:
                      type: object
                      properties:
                        serial_number:
                          type: string
                        revocation_date:
                          type: string
                          format: date-time
                        revocation_reason:
                          type: string
                  total:
                    type: integer
                  generated_at:
                    type: string
                    format: date-time
        "500":
          $ref: "#/components/responses/InternalError"
  /api/v1/crl/{issuer_id}:
    get:
      tags: [CRL & OCSP]
      summary: Get DER-encoded X.509 CRL
      description: Returns a proper DER-encoded CRL signed by the issuing CA. 24-hour validity.
      operationId: getDERCRL
      security: []
      parameters:
        - name: issuer_id
          in: path
@@ -560,12 +542,17 @@ paths:
        "501":
          description: Issuer does not support CRL generation
-  /api/v1/ocsp/{issuer_id}/{serial}:
+  /.well-known/pki/ocsp/{issuer_id}/{serial}:
    get:
      tags: [CRL & OCSP]
-      summary: OCSP responder
+      summary: OCSP responder (RFC 6960)
-      description: Returns signed OCSP response (good/revoked/unknown) for the given serial number.
+      description: |
        Returns a signed OCSP response (good/revoked/unknown) for the
        given serial number per RFC 6960 §2.1, served unauthenticated
        per RFC 8615 so relying parties and OCSP stapling sidecars can
        query revocation status without a certctl API key.
      operationId: handleOCSP
      security: []
      parameters:
        - name: issuer_id
          in: path
@@ -9,6 +9,7 @@ import (
 	"os"
 	"os/signal"
 	"strconv"
 	"strings"
 	"syscall"
 	"time"
@@ -223,7 +224,7 @@ func main() {
 	renewalService := service.NewRenewalService(certificateRepo, jobRepo, renewalPolicyRepo, profileRepo, auditService, notificationService, issuerRegistry, cfg.Keygen.Mode)
 	renewalService.SetTargetRepo(targetRepo)
 	deploymentService := service.NewDeploymentService(jobRepo, targetRepo, agentRepo, certificateRepo, auditService, notificationService)
-	jobService := service.NewJobService(jobRepo, renewalService, deploymentService, logger)
+	jobService := service.NewJobService(jobRepo, certificateRepo, ownerRepo, renewalService, deploymentService, logger)
 	agentService := service.NewAgentService(agentRepo, certificateRepo, jobRepo, targetRepo, auditService, issuerRegistry, renewalService)
 	agentService.SetProfileRepo(profileRepo)
 	issuerService := service.NewIssuerService(issuerRepo, auditService, issuerRegistry, encryptionKey, logger)
@@ -552,13 +553,63 @@ func main() {
 			"endpoints", "/scep?operation={GetCACaps,GetCACert,PKIOperation}")
 	}
 	// Register RFC 5280 CRL and RFC 6960 OCSP handlers under /.well-known/pki/.
 	// These are always enabled (no config gate) — revocation data must be
 	// reachable to relying parties for any cert certctl issues. The finalHandler
 	// routing gate below strips auth middleware for this prefix so browsers,
 	// OpenSSL, OCSP stapling sidecars, and mTLS clients can fetch without
 	// presenting certctl Bearer tokens.
 	apiRouter.RegisterPKIHandlers(certificateHandler)
 	logger.Info("PKI endpoints registered",
 		"endpoints", "/.well-known/pki/{crl/{issuer_id},ocsp/{issuer_id}/{serial}}")
 	logger.Info("registered all API handlers")
-	// Build middleware stack
+	// Build middleware stack.
-	authMiddleware := middleware.NewAuth(middleware.AuthConfig{
+	//
-		Type:   cfg.Auth.Type,
+	// Authentication unification (M-002): every authenticated request now
-		Secret: cfg.Auth.Secret,
+	// carries a named actor in the request context so audit events record
-	})
+	// the real key identity instead of the hardcoded "api-key-user" string.
 	// Named keys come from CERTCTL_API_KEYS_NAMED (preferred). For backward
 	// compatibility CERTCTL_AUTH_SECRET is synthesized into legacy-key-N
 	// entries with Admin=false.
 	var namedKeys []middleware.NamedAPIKey
 	if cfg.Auth.Type != "none" {
 		// Translate typed config.NamedAPIKey -> middleware.NamedAPIKey. The
 		// two structs are field-compatible but live in different packages to
 		// preserve the config→middleware dependency direction.
 		for _, nk := range cfg.Auth.NamedKeys {
 			namedKeys = append(namedKeys, middleware.NamedAPIKey{
 				Name:  nk.Name,
 				Key:   nk.Key,
 				Admin: nk.Admin,
 			})
 		}
 		// Back-compat: if no named keys but legacy Secret is configured,
 		// synthesize named entries so the audit trail still attributes the
 		// action (instead of falling back to "api-key-user" / "anonymous").
 		if len(namedKeys) == 0 && cfg.Auth.Secret != "" {
 			parts := strings.Split(cfg.Auth.Secret, ",")
 			idx := 0
 			for _, p := range parts {
 				p = strings.TrimSpace(p)
 				if p == "" {
 					continue
 				}
 				namedKeys = append(namedKeys, middleware.NamedAPIKey{
 					Name:  fmt.Sprintf("legacy-key-%d", idx),
 					Key:   p,
 					Admin: false,
 				})
 				idx++
 			}
 			if len(namedKeys) > 0 {
 				logger.Warn("CERTCTL_AUTH_SECRET is deprecated — set CERTCTL_API_KEYS_NAMED for named actor attribution and admin gating",
 					"synthesized_keys", len(namedKeys))
 			}
 		}
 	}
 	authMiddleware := middleware.NewAuthWithNamedKeys(namedKeys)
 	corsMiddleware := middleware.NewCORS(middleware.CORSConfig{
 		AllowedOrigins: cfg.CORS.AllowedOrigins,
 	})
@@ -654,6 +705,14 @@ func main() {
 				noAuthHandler.ServeHTTP(w, r)
 				return
 			}
 			// RFC 5280 CRL and RFC 6960 OCSP live under /.well-known/pki/ and
 			// MUST be served unauthenticated — relying parties (browsers,
 			// OpenSSL, OCSP stapling sidecars, mTLS clients) cannot present
 			// certctl Bearer tokens. See router.RegisterPKIHandlers.
 			if len(path) >= 16 && path[:16] == "/.well-known/pki" {
 				noAuthHandler.ServeHTTP(w, r)
 				return
 			}
 			// All other API and EST routes go through the full middleware stack (with auth)
 			if (len(path) >= 8 && path[:8] == "/api/v1/") ||
 				(len(path) >= 16 && path[:16] == "/.well-known/est") {
@@ -670,13 +729,18 @@ func main() {
 		})
 		logger.Info("dashboard available at /", "web_dir", webDir)
 	} else {
-		// No dashboard: route health/auth-info without auth, everything else through full stack
+		// No dashboard: route health/auth-info and /.well-known/pki without
 		// auth, everything else through full stack.
 		finalHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			path := r.URL.Path
 			if path == "/health" || path == "/ready" || path == "/api/v1/auth/info" {
 				noAuthHandler.ServeHTTP(w, r)
 				return
 			}
 			if len(path) >= 16 && path[:16] == "/.well-known/pki" {
 				noAuthHandler.ServeHTTP(w, r)
 				return
 			}
 			apiHandler.ServeHTTP(w, r)
 		})
 		logger.Info("dashboard directory not found, serving API only")
@@ -195,16 +195,11 @@ type metricsResponse struct {
 	Uptime  float64                `json:"uptime_seconds"`
 }
-// crlResponse for the CRL endpoint.
+// M-006: The non-standard JSON CRL endpoint (`GET /api/v1/crl`) was removed.
-type crlResponse struct {
+// RFC 5280 §5 defines only the DER wire format, which is now served
-	Version int `json:"version"`
+// unauthenticated at `/.well-known/pki/crl/{issuer_id}` per RFC 8615.
-	Total   int `json:"total"`
+// The `crlResponse` Go struct that used to decode the JSON envelope is gone;
-	Entries []struct {
+// Phase 7 parses the DER bytes directly via `x509.ParseRevocationList`.
 		Serial    string `json:"serial_number"`
 		Reason    string `json:"reason"`
 		RevokedAt string `json:"revoked_at"`
 	} `json:"entries"`
 }
 // ---------------------------------------------------------------------------
 // PostgreSQL test helper
@@ -728,18 +723,41 @@ func TestIntegrationSuite(t *testing.T) {
 			t.Fatalf("revocation response unexpected: %s", body)
 		}
-		// Check CRL
+		// Check DER CRL served unauthenticated under /.well-known/pki/ per
-		t.Run("CRL", func(t *testing.T) {
+		// RFC 5280 §5 + RFC 8615 (M-006). Use a plain http.Get — no Bearer
-			resp, err := c.Get("/api/v1/crl")
+		// token — to prove the endpoint is reachable by relying parties that
 		// have no certctl API credentials.
 		t.Run("CRL_DER_Unauthenticated", func(t *testing.T) {
 			resp, err := http.Get(serverURL + "/.well-known/pki/crl/iss-local")
 			if err != nil {
-				t.Fatalf("GET CRL: %v", err)
+				t.Fatalf("GET DER CRL: %v", err)
 			}
-			var crl crlResponse
+			defer resp.Body.Close()
-			if err := decodeJSON(resp, &crl); err != nil {
+
-				t.Fatalf("decode CRL: %v", err)
+			if resp.StatusCode != http.StatusOK {
 				body, _ := io.ReadAll(resp.Body)
 				t.Fatalf("unexpected status: got %d, want 200 (body=%s)", resp.StatusCode, string(body))
 			}
-			if crl.Total < 1 {
+			if ct := resp.Header.Get("Content-Type"); ct != "application/pkix-crl" {
-				t.Fatalf("CRL total: got %d, want >= 1", crl.Total)
+				t.Errorf("Content-Type: got %q, want %q", ct, "application/pkix-crl")
 			}
 			body, err := io.ReadAll(resp.Body)
 			if err != nil {
 				t.Fatalf("read CRL body: %v", err)
 			}
 			if len(body) == 0 {
 				t.Fatal("CRL body empty")
 			}
 			// Parse the DER bytes as an X.509 CRL (RFC 5280) and verify the
 			// just-revoked certificate is listed.
 			crl, err := x509.ParseRevocationList(body)
 			if err != nil {
 				t.Fatalf("parse DER CRL: %v", err)
 			}
 			if len(crl.RevokedCertificateEntries) < 1 {
 				t.Fatalf("CRL entries: got %d, want >= 1", len(crl.RevokedCertificateEntries))
 			}
 		})
@@ -26,6 +26,7 @@
 package integration_test
 import (
 	"crypto/x509"
 	"database/sql"
 	"encoding/json"
 	"io"
@@ -596,13 +597,37 @@ func TestQA(t *testing.T) {
 			}
 		})
-		t.Run("CRL_JSON", func(t *testing.T) {
+		// M-006: The non-standard JSON CRL endpoint was removed. RFC 5280 §5
-			code, body := c.bodyStr(t, "GET", "/api/v1/crl", "")
+		// defines only the DER wire format, now served unauthenticated at
-			if code != 200 {
+		// `/.well-known/pki/crl/{issuer_id}` per RFC 8615. Use a plain
-				t.Fatalf("CRL = %d", code)
+		// http.Get — no Bearer — to prove the endpoint is reachable by
 		// relying parties with no API credentials.
 		t.Run("CRL_DER_Unauthenticated", func(t *testing.T) {
 			resp, err := http.Get(qaServerURL + "/.well-known/pki/crl/iss-local")
 			if err != nil {
 				t.Fatalf("GET DER CRL: %v", err)
 			}
-			if !strings.Contains(body, "entries") {
+			defer resp.Body.Close()
-				t.Fatalf("CRL response missing entries field")
+			if resp.StatusCode != 200 {
 				b, _ := io.ReadAll(resp.Body)
 				t.Fatalf("CRL = %d (body=%s)", resp.StatusCode, string(b))
 			}
 			if ct := resp.Header.Get("Content-Type"); ct != "application/pkix-crl" {
 				t.Errorf("Content-Type: got %q, want %q", ct, "application/pkix-crl")
 			}
 			body, err := io.ReadAll(resp.Body)
 			if err != nil {
 				t.Fatalf("read CRL body: %v", err)
 			}
 			if len(body) == 0 {
 				t.Fatal("CRL body empty")
 			}
 			crl, err := x509.ParseRevocationList(body)
 			if err != nil {
 				t.Fatalf("parse DER CRL: %v", err)
 			}
 			if len(crl.RevokedCertificateEntries) < 1 {
 				t.Fatalf("CRL entries: got %d, want >= 1", len(crl.RevokedCertificateEntries))
 			}
 		})
 	})
@@ -608,13 +608,22 @@ else
  fail "Revocation failed" "$REVOKE_RESP"
 fi
-info "Checking CRL..."
+info "Checking DER CRL under /.well-known/pki (RFC 5280 §5, RFC 8615)..."
-CRL_RESP=$(api_get "/api/v1/crl" 2>/dev/null || echo '{"total":0}')
+# The JSON CRL endpoint (`GET /api/v1/crl`) was removed in M-006. RFC 5280
-CRL_TOTAL=$(echo "$CRL_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('total',0))" 2>/dev/null || echo 0)
+# defines only the DER wire format, now served unauthenticated at
-if [ "$CRL_TOTAL" -ge 1 ]; then
+# `/.well-known/pki/crl/{issuer_id}`. Fetch without the Bearer header to
-  pass "CRL contains $CRL_TOTAL revoked certificate(s)"
+# prove the endpoint is reachable by relying parties with no API key.
 CRL_TMP=$(mktemp)
 CRL_HEADERS=$(mktemp)
 CRL_HTTP_CODE=$(curl -s -o "$CRL_TMP" -D "$CRL_HEADERS" -w "%{http_code}" "${API_URL}/.well-known/pki/crl/iss-local" 2>/dev/null || echo "000")
 CRL_SIZE=$(wc -c < "$CRL_TMP" | tr -d ' ')
 CRL_CONTENT_TYPE=$(awk 'tolower($1)=="content-type:" { sub(/\r$/,"",$2); print tolower($2) }' "$CRL_HEADERS" | head -n1)
 rm -f "$CRL_TMP" "$CRL_HEADERS"
 if [ "$CRL_HTTP_CODE" = "200" ] && [ "$CRL_CONTENT_TYPE" = "application/pkix-crl" ] && [ "$CRL_SIZE" -gt 0 ]; then
  pass "DER CRL served unauthenticated (HTTP 200, Content-Type application/pkix-crl, ${CRL_SIZE} bytes)"
 else
-  fail "CRL empty after revocation"
+  fail "DER CRL fetch failed: HTTP=$CRL_HTTP_CODE Content-Type=$CRL_CONTENT_TYPE size=$CRL_SIZE"
 fi
 CERT_STATUS=$(api_get "/api/v1/certificates/mc-local-test" | python3 -c "import sys,json; print(json.load(sys.stdin).get('status',''))" 2>/dev/null || echo "unknown")
@@ -463,7 +463,7 @@ sequenceDiagram
    API-->>U: 200 OK
 ```
-The revocation is recorded in the `certificate_revocations` table (separate from the certificate status update) for CRL generation. The DER-encoded CRL at `GET /api/v1/crl/{issuer_id}` is generated on-demand by querying this table and signing with the issuing CA's key. The OCSP responder at `GET /api/v1/ocsp/{issuer_id}/{serial}` checks both the certificate status and the revocations table to return signed good/revoked/unknown responses.
+The revocation is recorded in the `certificate_revocations` table (separate from the certificate status update) for CRL generation. The DER-encoded CRL at `GET /.well-known/pki/crl/{issuer_id}` (RFC 5280 §5, RFC 8615) is generated on-demand by querying this table and signing with the issuing CA's key. The OCSP responder at `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (RFC 6960) checks both the certificate status and the revocations table to return signed good/revoked/unknown responses. Both endpoints are served unauthenticated — relying parties (TLS clients, hardware appliances, browsers) must be able to reach them without a certctl API key — and carry the IANA-registered media types `application/pkix-crl` and `application/ocsp-response` respectively.
 Short-lived certificates (those with profile TTL < 1 hour) return "good" from OCSP and are excluded from CRL — their rapid expiry is treated as sufficient revocation.
@@ -889,7 +889,7 @@ Jobs support additional action endpoints: `POST /api/v1/jobs/{id}/cancel`, `POST
 - **Additional filters**: `?agent_id=`, `?profile_id=` (in addition to existing status, environment, owner_id, team_id, issuer_id).
 - **Deployments**: `GET /api/v1/certificates/{id}/deployments` returns deployment targets for a certificate.
-Certificate revocation: `POST /api/v1/certificates/{id}/revoke` with optional `{"reason": "keyCompromise"}`. Supports RFC 5280 reason codes (unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn). Returns the updated certificate status. Best-effort issuer notification — the revocation succeeds even if the issuer connector is unavailable. A JSON-formatted CRL is available at `GET /api/v1/crl`, and a DER-encoded X.509 CRL signed by the issuing CA at `GET /api/v1/crl/{issuer_id}`. An embedded OCSP responder serves signed responses at `GET /api/v1/ocsp/{issuer_id}/{serial}`. Short-lived certificates (profile TTL < 1 hour) are exempt from CRL/OCSP — expiry is sufficient revocation.
+Certificate revocation: `POST /api/v1/certificates/{id}/revoke` with optional `{"reason": "keyCompromise"}`. Supports RFC 5280 reason codes (unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn). Returns the updated certificate status. Best-effort issuer notification — the revocation succeeds even if the issuer connector is unavailable. The DER-encoded X.509 CRL signed by the issuing CA is served unauthenticated at `GET /.well-known/pki/crl/{issuer_id}` (RFC 5280 §5 + RFC 8615, `Content-Type: application/pkix-crl`). The embedded OCSP responder serves signed responses unauthenticated at `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (RFC 6960, `Content-Type: application/ocsp-response`). Both endpoints are accessible to relying parties with no certctl API credentials, as RFC-compliant PKI consumers expect. Short-lived certificates (profile TTL < 1 hour) are exempt from CRL/OCSP — expiry is sufficient revocation.
 Certificate export (M27): `GET /api/v1/certificates/{id}/export/pem` returns PEM-encoded certificate and chain, and `POST /api/v1/certificates/{id}/export/pkcs12` returns a PKCS#12 bundle (binary). Private keys are never exported — they remain on agents. All exports are audited with actor, timestamp, and format.
@@ -210,15 +210,17 @@ NIST SP 800-57 Part 1 Section 6.2 addresses secure key distribution to minimize
  - Proxy agent executes deployment via appliance API
 **Revocation Distribution**
- Certificate Revocation List (CRL) via `GET /api/v1/crl/{issuer_id}`
+- Certificate Revocation List (CRL) via `GET /.well-known/pki/crl/{issuer_id}` (RFC 5280 §5, RFC 8615)
-  - Returns DER-encoded X.509 CRL signed by issuing CA
+  - Returns DER-encoded X.509 CRL signed by issuing CA (`Content-Type: application/pkix-crl`)
  - 24-hour validity period
  - Includes all revoked serials, reasons, and revocation timestamps
  - Served unauthenticated so relying parties without certctl API credentials can fetch it
  - Subject to URL caching; OCSP preferred for real-time revocation
- OCSP via `GET /api/v1/ocsp/{issuer_id}/{serial}`
+- OCSP via `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (RFC 6960)
-  - Returns DER-encoded OCSP response (OCSPResponse ASN.1 structure)
+  - Returns DER-encoded OCSP response (OCSPResponse ASN.1 structure, `Content-Type: application/ocsp-response`)
  - Signed by issuing CA (or delegated OCSP signing cert)
  - Responds with good/revoked/unknown status
  - Served unauthenticated — the RFC 6960 relying-party model does not assume API credentials
  - Real-time, more bandwidth-efficient than CRL polling
 ## Revocation and Compromise (NIST SP 800-57 Part 3)
@@ -92,10 +92,10 @@ Your QSA will request evidence that your certificate and key management systems
 - **Certificate Status Tracking** — Four statuses: Active (deployed, not yet expired), Expiring (within threshold, awaiting renewal), Expired (past not-after date), Revoked (revoked via RFC 5280 revocation API). Dashboard charts show status distribution.
- **Revocation Infrastructure** (M15a, M15b):
+- **Revocation Infrastructure** (M15a, M15b, M-006):
  - Revocation API: `POST /api/v1/certificates/{id}/revoke` with RFC 5280 reason codes
-  - CRL endpoint: `GET /api/v1/crl` (JSON format) or `GET /api/v1/crl/{issuer_id}` (DER X.509 CRL, 24h validity, signed by issuing CA)
+  - CRL endpoint: `GET /.well-known/pki/crl/{issuer_id}` — DER X.509 CRL, 24h validity, signed by issuing CA, served unauthenticated (RFC 5280 §5, RFC 8615, `Content-Type: application/pkix-crl`)
-  - OCSP responder: `GET /api/v1/ocsp/{issuer_id}/{serial}` (returns DER-encoded OCSP response: good/revoked/unknown)
+  - OCSP responder: `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` — DER-encoded OCSP response (good/revoked/unknown), served unauthenticated (RFC 6960, `Content-Type: application/ocsp-response`)
  - Bulk revocation (V2.2): `POST /api/v1/certificates/bulk-revoke` with filter criteria (profile, owner, agent, issuer) for fleet-wide incident response
  - Short-lived cert exemption: certs with TTL < 1 hour skip CRL/OCSP (expiry is sufficient revocation)
@@ -109,7 +109,7 @@ Your QSA will request evidence that your certificate and key management systems
 - Discovered certificate report: `GET /api/v1/discovered-certificates` JSON export showing all certs on systems, fingerprints, and status.
 - Managed certificate inventory: `GET /api/v1/certificates` with filters (`?status=Expiring` for upcoming renewals).
 - Expiration alert configuration: policy JSON showing `alert_thresholds_days` for each environment.
- CRL/OCSP availability proof: HTTP GET requests to `/api/v1/crl` and `/api/v1/ocsp/{issuer}/{serial}` with signed responses.
+- CRL/OCSP availability proof: unauthenticated HTTP GET requests to `/.well-known/pki/crl/{issuer_id}` (DER, `application/pkix-crl`) and `/.well-known/pki/ocsp/{issuer_id}/{serial}` (DER, `application/ocsp-response`) with signed responses.
 - Audit trail for certificate creation/renewal/revocation: `GET /api/v1/audit?type=certificate_issued,certificate_renewed,certificate_revoked`.
 - Dashboard charts showing expiration timeline, renewal success trends, status distribution.
@@ -328,9 +328,10 @@ This requirement covers key generation, storage, rotation, and destruction. Cert
  - Issuer notified (best-effort; ACME lacks standard revocation, Local CA skips issuer step).
  - Revocation notifications sent to owner via email/webhook/Slack/Teams/PagerDuty.
- **CRL and OCSP Publication** (M15b) — Revoked certificates published in:
+- **CRL and OCSP Publication** (M15b, M-006) — Revoked certificates published in:
-  - CRL: `GET /api/v1/crl` (JSON format) or `GET /api/v1/crl/{issuer_id}` (DER X.509, signed by CA, 24h validity)
+  - CRL: `GET /.well-known/pki/crl/{issuer_id}` (DER X.509 signed by CA, 24h validity, RFC 5280 §5 + RFC 8615, `Content-Type: application/pkix-crl`)
-  - OCSP: `GET /api/v1/ocsp/{issuer_id}/{serial}` (returns revoked status for clients validating certificate chain)
+  - OCSP: `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (returns revoked status for clients validating certificate chain, RFC 6960, `Content-Type: application/ocsp-response`)
  - Both endpoints are served unauthenticated so relying parties (browsers, TLS appliances) without certctl API keys can verify revocation — this is the RFC-compliant PKI model.
  - Clients checking certificate status via OCSP or CRL see revoked status within 24 hours.
 - **Bulk Revocation for Incident Response** (V2.2) — `POST /api/v1/certificates/bulk-revoke` with filter criteria (profile, owner, agent, issuer) revokes all matching certificates in a single operation. PCI-DSS Req 4 requires rapid response to data transmission security incidents — bulk revocation enables operators to revoke an entire certificate set (e.g., all certs used by a compromised team or endpoint) in minutes rather than hours.
@@ -342,8 +343,8 @@ This requirement covers key generation, storage, rotation, and destruction. Cert
 **Evidence You Can Provide**:
 - Revocation requests: `GET /api/v1/audit?type=certificate_revoked` with RFC 5280 reason codes.
- CRL publication: HTTP GET `/api/v1/crl` and parse JSON to show revoked serial numbers and timestamps.
+- CRL publication: HTTP GET `/.well-known/pki/crl/{issuer_id}` (unauthenticated) returns a DER X.509 CRL — parse with `openssl crl -inform der -noout -text` to show revoked serial numbers, reasons, and timestamps.
- OCSP responder validation: Query `GET /api/v1/ocsp/{issuer}/{serial}` for a known-revoked cert; response includes `revoked` status.
+- OCSP responder validation: Query `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (unauthenticated) for a known-revoked cert; response includes `revoked` status and can be parsed with `openssl ocsp` tooling.
 - Audit trail: Certificate status transitions (Active → Revoked) recorded in `audit_events`.
 **Operator Responsibility**:
@@ -721,12 +722,12 @@ This requirement covers key generation, storage, rotation, and destruction. Cert
 | PCI-DSS Requirement | certctl Feature | API/UI Evidence | Database/Config | Audit Trail | Status |
 |---|---|---|---|---|---|
 | **4.2.1** Strong Crypto | TLS cert issuance, ACME/step-ca/Local CA, RSA 2048+/ECDSA P-256 | `GET /api/v1/certificates` (key_type, key_size) | Certificate profiles | `GET /api/v1/audit?type=certificate_issued` | Available |
-| **4.2.2** Cert Inventory & Validation | Managed cert CRUD, discovery (M18b), expiration alerting, CRL/OCSP | `GET /api/v1/certificates`, `GET /api/v1/discovered-certificates`, `GET /api/v1/crl`, `GET /api/v1/ocsp/{issuer}/{serial}` | `managed_certificates`, `discovered_certificates` tables | `GET /api/v1/audit?type=certificate_*` | Available |
+| **4.2.2** Cert Inventory & Validation | Managed cert CRUD, discovery (M18b), expiration alerting, CRL/OCSP | `GET /api/v1/certificates`, `GET /api/v1/discovered-certificates`, `GET /.well-known/pki/crl/{issuer_id}`, `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (both unauthenticated, RFC 5280 / RFC 6960) | `managed_certificates`, `discovered_certificates` tables | `GET /api/v1/audit?type=certificate_*` | Available |
 | **3.6** Key Documentation | Profiles, owner/team tracking, issuer config, audit trail | `GET /api/v1/profiles`, `GET /api/v1/issuers`, certificate detail with owner/team | Profiles, certificate owner/team fields, issuer config | `GET /api/v1/audit?resource_type=certificate` | Available |
 | **3.7.1** Key Generation | Agent-side ECDSA P-256, server keygen (demo only) | Agent logs, renewal job detail, CSR audit | `CERTCTL_KEYGEN_MODE=agent` (config), job_type=AwaitingCSR | `GET /api/v1/audit?type=certificate_issued` with CSR hash | Available |
 | **3.7.2** Key Storage | Agent `/var/lib/certctl/keys` (0600), env var secrets, .env excluded | Deployment manifest (env var refs), agent key dir listing | `.env` file (git-ignored), `CERTCTL_KEY_DIR`, `CERTCTL_CA_KEY_PATH` | No API audit (keys off-platform) | Available |
 | **3.7.3** Key Rotation | Auto renewal, expiration thresholds, renewal jobs | Dashboard renewal trends, `GET /api/v1/jobs?type=Renewal`, certificate versions | Renewal policies, certificate version history | `GET /api/v1/audit?type=certificate_renewed` | Available |
-| **3.7.4** Key Destruction | Revocation API (RFC 5280), CRL/OCSP, private key cleanup | `POST /api/v1/certificates/{id}/revoke`, `GET /api/v1/crl`, OCSP endpoint | `certificate_revocations` table, CRL publication | `GET /api/v1/audit?type=certificate_revoked` | Available |
+| **3.7.4** Key Destruction | Revocation API (RFC 5280), CRL/OCSP, private key cleanup | `POST /api/v1/certificates/{id}/revoke`, unauthenticated `GET /.well-known/pki/crl/{issuer_id}` and `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` | `certificate_revocations` table, CRL publication | `GET /api/v1/audit?type=certificate_revoked` | Available |
 | **8.3** Strong Authentication | API key (SHA-256 hash, TLS), GUI login, 401 redirect | GUI login screenshot, API key auth header, TLS cert | API key hash in database | `GET /api/v1/audit` showing API calls | Available |
 | **8.6** Acct Management | Credentials out of source, .env excluded, env var config | Code review (no hardcoded secrets), `.gitignore` check | Deployment manifests showing env var refs only | No account lifecycle audit (outside scope) | Available in part |
 | **10.2** Audit Logging | API audit middleware (M19), certificate lifecycle events | `GET /api/v1/audit` with filter/pagination | `audit_events` table (every API call) | Real-time via API | Available |
@@ -282,8 +282,8 @@ Each section includes:
  - `certificateHold` — temporary revocation (can be "unhold" by reissue)
  - `privilegeWithdrawn` — access rights revoked
  Revocation is **immediate** (no approval workflow). The certificate is marked `Revoked` in inventory, an audit event is logged, and optional issuer notification is best-effort. All revoked certs are excluded from active deployments.
- **CRL Endpoint** — `GET /api/v1/crl` returns a JSON-formatted Certificate Revocation List (serial, reason, timestamp for each revoked cert). `GET /api/v1/crl/{issuer_id}` returns a DER-encoded X.509 CRL signed by the issuing CA (useful for legacy clients that don't support OCSP).
+- **CRL Endpoint** — `GET /.well-known/pki/crl/{issuer_id}` returns a DER-encoded X.509 CRL signed by the issuing CA (RFC 5280 §5, RFC 8615, `Content-Type: application/pkix-crl`), served unauthenticated for relying parties that don't hold certctl API credentials.
- **OCSP Responder** — `GET /api/v1/ocsp/{issuer_id}/{serial}` returns a signed OCSP response indicating whether a cert is good, revoked, or unknown. Clients (browsers, TLS libraries) query this endpoint to verify cert validity in real-time.
+- **OCSP Responder** — `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` returns a signed OCSP response indicating whether a cert is good, revoked, or unknown (RFC 6960, `Content-Type: application/ocsp-response`). Also unauthenticated. Clients (browsers, TLS libraries) query this endpoint to verify cert validity in real-time.
 - **Revocation Notifications** — When a cert is revoked, notifications are sent to:
  - Certificate owner (email)
  - Configured webhooks (if you have a SIEM that subscribes)
@@ -460,8 +460,8 @@ Each section includes:
 | | Notification Routing | Email, Slack, Teams, PagerDuty, OpsGenie | ✅ | ✅ | Configure notifiers, on-call integration |
 | | Deployment Rollback | Redeploy previous cert version via GUI | ✅ | ✅ | Audit rollback decisions |
 | **CC7.3** Incident Response | Revocation API (RFC 5280 reasons) | `POST /api/v1/certificates/{id}/revoke` | ✅ | Enhanced (bulk revocation) | Establish incident response policy |
-| | CRL Endpoint (JSON + DER) | `GET /api/v1/crl`, `GET /api/v1/crl/{issuer_id}` | ✅ | ✅ | Ensure CRL/OCSP accessible to all clients |
+| | CRL Endpoint (DER, RFC 5280 §5) | `GET /.well-known/pki/crl/{issuer_id}` (unauthenticated, `application/pkix-crl`) | ✅ | ✅ | Ensure CRL/OCSP accessible to all clients without API keys |
-| | OCSP Responder | `GET /api/v1/ocsp/{issuer_id}/{serial}` | ✅ | ✅ | Test revocation in staging |
+| | OCSP Responder (RFC 6960) | `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (unauthenticated, `application/ocsp-response`) | ✅ | ✅ | Test revocation in staging |
 | | Revocation Notifications | Email, webhook, Slack/Teams on revocation | ✅ | ✅ | Integrate into on-call, document justification separately |
 | | Short-Lived Cert Exemption | TTL < 1h skip CRL/OCSP | ✅ | ✅ | Configure profiles appropriately |
 | **CC7.4** Risk Mitigation | Renewal Job Tracking | Job state machine (Pending → Running → Completed/Failed) | ✅ | ✅ | Monitor renewal success rate |
@@ -216,9 +216,9 @@ certctl implements revocation using three complementary mechanisms:
 **Bulk Revocation** (Fleet-Level Incident Response): For large-scale incidents like CA compromise or team infrastructure decommissioning, `POST /api/v1/certificates/bulk-revoke` revokes all certificates matching filter criteria in a single operation. Filter by profile, owner, team, agent group, or issuer to target the affected certificate set. This is essential for incident response — instead of revoking certificates one-by-one, operators can revoke an entire fleet in minutes. Bulk revocation creates individual revocation jobs that reuse the existing revocation pipeline, ensuring every certificate is audited and notifications are sent.
-**Certificate Revocation List (CRL)**: certctl serves both a JSON-formatted CRL at `GET /api/v1/crl` and DER-encoded X.509 CRLs per issuer at `GET /api/v1/crl/{issuer_id}`. The DER CRL is signed by the issuing CA's key and has 24-hour validity — clients can download it periodically to check revocation status offline.
+**Certificate Revocation List (CRL)**: certctl serves DER-encoded X.509 CRLs per issuer at `GET /.well-known/pki/crl/{issuer_id}` (RFC 5280 §5 wire format, RFC 8615 well-known namespace). The endpoint is unauthenticated so any relying party — browser, TLS client, hardware appliance — can fetch it without a certctl API key. The CRL is signed by the issuing CA's key and has 24-hour validity; clients can download it periodically to check revocation status offline. The response carries `Content-Type: application/pkix-crl`.
-**OCSP Responder**: For real-time revocation checking, certctl includes an embedded OCSP responder at `GET /api/v1/ocsp/{issuer_id}/{serial}`. It returns signed OCSP responses (good, revoked, or unknown) so clients can verify certificate status without downloading the full CRL.
+**OCSP Responder**: For real-time revocation checking, certctl includes an embedded OCSP responder at `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (RFC 6960). Like the CRL endpoint, it is unauthenticated and returns signed OCSP responses (good, revoked, or unknown) with `Content-Type: application/ocsp-response`, so clients can verify certificate status without downloading the full CRL.
 Short-lived certificates (those assigned to profiles with TTL under 1 hour) are exempt from CRL and OCSP — their rapid expiry is considered sufficient revocation. This is a deliberate design choice to reduce infrastructure overhead for ephemeral machine-to-machine credentials.
@@ -155,7 +155,7 @@ The Local CA issuer signs certificates using Go's `crypto/x509` library. It supp
 **Sub-CA mode:** Loads a CA certificate and private key from disk (`CERTCTL_CA_CERT_PATH` + `CERTCTL_CA_KEY_PATH`). The CA cert is signed by an upstream CA (e.g., ADCS), so all issued certificates chain to the enterprise root trust hierarchy. Clients that already trust the enterprise root automatically trust certctl-issued certs. Supports RSA, ECDSA, and PKCS#8 key formats. If the paths are not set, falls back to self-signed mode. The loaded certificate must have `IsCA=true` and `KeyUsageCertSign`.
-**CRL and OCSP support (M15b):** The Local CA supports DER-encoded X.509 CRL generation via `GET /api/v1/crl/{issuer_id}` with 24-hour validity. An embedded OCSP responder at `GET /api/v1/ocsp/{issuer_id}/{serial}` returns signed OCSP responses for issued certificates (good/revoked/unknown status). Certificates with profile TTL < 1 hour automatically skip CRL/OCSP — expiry is treated as sufficient revocation for short-lived credentials.
+**CRL and OCSP support (M15b):** The Local CA supports DER-encoded X.509 CRL generation served unauthenticated at `GET /.well-known/pki/crl/{issuer_id}` (RFC 5280 §5, RFC 8615, `Content-Type: application/pkix-crl`) with 24-hour validity. An embedded OCSP responder at `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (RFC 6960, `Content-Type: application/ocsp-response`) returns signed OCSP responses for issued certificates (good/revoked/unknown status). Both endpoints are reachable by relying parties with no certctl API credentials, which is how standard TLS clients, browsers, and hardware appliances consume these resources. Certificates with profile TTL < 1 hour automatically skip CRL/OCSP — expiry is treated as sufficient revocation for short-lived credentials.
 **Extended Key Usage (EKU) support (M27):** The Local CA respects EKU constraints from certificate profiles and adjusts key usage flags accordingly. For S/MIME certificates (emailProtection EKU), it uses `DigitalSignature | ContentCommitment` instead of the TLS default. For TLS certificates (serverAuth/clientAuth EKU), it uses `DigitalSignature | KeyEncipherment`. This enables support for multiple certificate types — TLS, S/MIME, code signing, timestamping — from a single CA.
@@ -287,7 +287,7 @@ Environment variables:
 The connector is registered in the issuer registry under `iss-stepca`. step-ca also works with the existing ACME connector (point `iss-acme-*` at step-ca's ACME directory URL for ACME-based issuance).
-**Note:** step-ca-issued certificates rely on step-ca's own CRL/OCSP infrastructure. certctl's local CRL/OCSP endpoints (`GET /api/v1/crl/{issuer_id}` and `GET /api/v1/ocsp/{issuer_id}/{serial}`) are populated from step-ca's revocation data if available, but clients should validate against step-ca's endpoints for the authoritative status.
+**Note:** step-ca-issued certificates rely on step-ca's own CRL/OCSP infrastructure. certctl's local CRL/OCSP endpoints (`GET /.well-known/pki/crl/{issuer_id}` and `GET /.well-known/pki/ocsp/{issuer_id}/{serial}`, served unauthenticated per RFC 5280 §5 / RFC 6960 / RFC 8615) are populated from step-ca's revocation data if available, but clients should validate against step-ca's endpoints for the authoritative status.
 **MaxTTL enforcement (M11c):** When a certificate profile defines a maximum TTL, the step-ca connector caps the `NotAfter` field to ensure the issued certificate does not exceed the profile limit, regardless of the step-ca provisioner's own maximum.
@@ -724,22 +724,24 @@ curl -s -X POST $API/api/v1/certificates/mc-demo-payments/revoke \
 6. Creates an audit trail entry
 7. Sends revocation notifications via configured channels
-Check the CRL (Certificate Revocation List):
+Check the CRL (Certificate Revocation List) — served unauthenticated under the RFC 8615 well-known namespace so relying parties without a certctl API key can still verify revocation (RFC 5280 §5):
 ```bash
-# JSON-formatted CRL
+# DER-encoded X.509 CRL for the local CA (binary — pipe to openssl for inspection).
-curl -s $API/api/v1/crl | jq .
+# Note: no -H "Authorization: Bearer ..." — the endpoint is deliberately
-
+# unauthenticated. Content-Type is application/pkix-crl.
-# DER-encoded X.509 CRL for the local CA (binary — pipe to openssl for inspection)
+curl -s http://localhost:8443/.well-known/pki/crl/iss-local -o /tmp/crl.der
 curl -s $API/api/v1/crl/iss-local -o /tmp/crl.der
 openssl crl -inform DER -in /tmp/crl.der -text -noout
 ```
-Check OCSP status:
+Check OCSP status (RFC 6960, also unauthenticated, `application/ocsp-response`):
 ```bash
-# Replace SERIAL with the actual serial number from the certificate version
+# Replace SERIAL with the actual serial number from the certificate version.
-curl -s $API/api/v1/ocsp/iss-local/SERIAL | jq .
+# The embedded OCSP responder returns a signed DER response — parse it with
 # `openssl ocsp -respin` or similar tooling.
 curl -s http://localhost:8443/.well-known/pki/ocsp/iss-local/SERIAL -o /tmp/ocsp.der
 openssl ocsp -respin /tmp/ocsp.der -noverify -resp_text | head -40
 ```
 **Why RFC 5280 reason codes:** The reason code isn't just metadata — it tells clients *why* the certificate was revoked. A `keyCompromise` revocation means the private key was exposed and the certificate should be distrusted immediately. A `superseded` revocation means a newer certificate replaced it — less urgent. CRLs and OCSP responses include the reason code so client software can make informed trust decisions.
@@ -228,14 +228,15 @@ Revocation is a 7-step process: validate eligibility → get serial → update s
 - Audit trail: single `bulk_revocation_initiated` event logs the criteria and actor
 - Optional `--reason` defaults to `unspecified` if omitted
-### CRL Endpoints
+### CRL Endpoint
- `GET /api/v1/crl` — JSON-formatted CRL (version, entries array, total count, timestamp)
+- `GET /.well-known/pki/crl/{issuer_id}` — DER-encoded X.509 CRL signed by the issuing CA, 24-hour validity (RFC 5280 §5 + RFC 8615). Served unauthenticated with `Content-Type: application/pkix-crl` so relying parties without certctl API credentials can fetch it.
- `GET /api/v1/crl/{issuer_id}` — DER-encoded X.509 CRL signed by issuing CA, 24-hour validity
+
 Prior non-standard JSON CRL and authenticated `/api/v1/crl*` paths were removed in M-006 — RFC 5280 defines only the DER wire format and relying parties do not have API keys.
 ### OCSP Responder
-`GET /api/v1/ocsp/{issuer_id}/{serial}` — signed OCSP responses (good/revoked/unknown). Signs with issuing CA key. Requires CA key access (Local CA, step-CA connectors).
+`GET /.well-known/pki/ocsp/{issuer_id}/{serial}` — signed OCSP responses (good/revoked/unknown) per RFC 6960. Served unauthenticated with `Content-Type: application/ocsp-response`. Signs with the issuing CA key; requires CA key access (Local CA, step-CA connectors).
 ### Short-Lived Certificate Exemption
@@ -286,9 +286,11 @@ curl -s -X POST http://localhost:8443/api/v1/certificates/$CERT_ID/revoke \
 Supported RFC 5280 reason codes: `unspecified`, `keyCompromise`, `caCompromise`, `affiliationChanged`, `superseded`, `cessationOfOperation`, `certificateHold`, `privilegeWithdrawn`.
-Confirm via CRL:
+Confirm via the unauthenticated DER CRL (RFC 5280 §5, RFC 8615):
 ```bash
-curl -s http://localhost:8443/api/v1/crl | jq .
+# Fetch the CRL without any API key — relying parties shouldn't need one.
 curl -s http://localhost:8443/.well-known/pki/crl/iss-local -o /tmp/crl.der
 openssl crl -inform der -in /tmp/crl.der -noout -text | head -40
 ```
 ### Interactive approval workflow
@@ -512,12 +512,15 @@ curl -s -X POST http://localhost:8443/api/v1/certificates/mc-local-test/revoke \
 ### Step 7b: Check the CRL (Certificate Revocation List)
 The CRL is a DER-encoded X.509 v2 CRL (RFC 5280 §5) served under the RFC 8615 well-known namespace. It is deliberately unauthenticated — relying parties that need to verify revocation don't have certctl API keys.
 ```bash
-curl -s -H "Authorization: Bearer test-key-2026" \
+# No Authorization header — the endpoint is public by design.
-  http://localhost:8443/api/v1/crl | python3 -m json.tool
+curl -s http://localhost:8443/.well-known/pki/crl/iss-local -o /tmp/crl.der
 openssl crl -inform der -in /tmp/crl.der -noout -text | head -40
 ```
-**What you should see**: A list that includes the revoked certificate's serial number, the reason, and the timestamp.
+**What you should see**: `openssl` prints the CRL issuer DN, `This Update` / `Next Update` timestamps, and at least one entry whose `Serial Number` matches the cert you just revoked, with `CRL Reason Code: Superseded` (or whichever reason you passed in step 7a). The response's `Content-Type` header is `application/pkix-crl`.
 ### Step 7c: Check in the dashboard
@@ -1297,66 +1297,59 @@ curl -s -H "$AUTH" "$SERVER/api/v1/audit?per_page=5" | jq '[.items[] | select(.a
 ### 5.3 CRL & OCSP
-**Test 5.3.1 — JSON CRL endpoint**
+> **M-006 note:** The non-standard JSON CRL (`GET /api/v1/crl`) and the authenticated DER CRL (`GET /api/v1/crl/{issuer_id}`) and OCSP (`GET /api/v1/ocsp/{issuer_id}/{serial}`) paths were removed. Revocation-status distribution now lives under the RFC 8615 well-known namespace (`/.well-known/pki/crl/{issuer_id}` and `/.well-known/pki/ocsp/{issuer_id}/{serial}`), served unauthenticated because relying parties (browsers, TLS clients, hardware appliances) do not have certctl API keys.
 **Test 5.3.1 — DER CRL endpoint (RFC 5280 §5, unauthenticated)**
 ```bash
-curl -s -w "\nHTTP %{http_code}\n" -H "$AUTH" "$SERVER/api/v1/crl" | jq '{total: .total, entries_count: (.entries | length)}'
+curl -s -D - -o /tmp/crl.der "$SERVER/.well-known/pki/crl/iss-local" | grep -i "content-type"
 openssl crl -inform der -in /tmp/crl.der -noout -text | head -40
 ```
-**What:** Fetches the JSON-formatted Certificate Revocation List.
+**What:** Fetches the DER-encoded X.509 CRL for the local issuer without presenting any API credentials.
-**Why:** CRL is how relying parties check if a certificate has been revoked. The JSON CRL is the machine-readable API view.
+**Why:** Relying parties (browsers, TLS libraries, network appliances) don't have certctl API keys. RFC 5280 §5 defines only the DER wire format, and RFC 8615 defines `.well-known/pki/*` as the relying-party namespace. The Content-Type must be `application/pkix-crl` and `openssl crl -inform der` must parse the body.
-**Expected:** HTTP 200. `total` > 0 (we revoked several certs above). Entries array contains serial numbers.
+**Expected:** `Content-Type: application/pkix-crl`, `openssl` prints a valid CRL with the revoked serials we created above.
-**PASS if** HTTP 200 and `total` > 0. **FAIL** if total = 0 or 500.
+**PASS if** Content-Type matches and `openssl crl` parses the body. **FAIL** if JSON/HTML, 401/403, or parse error.
 ---
-**Test 5.3.2 — DER CRL endpoint**
+**Test 5.3.2 — OCSP: good response for non-revoked cert (RFC 6960, unauthenticated)**
 ```bash
-curl -s -D - -o /dev/null -H "$AUTH" "$SERVER/api/v1/crl/iss-local" | grep -i "content-type"
+curl -s -w "\nHTTP %{http_code}\n" "$SERVER/.well-known/pki/ocsp/iss-local/mc-api-prod" -o /tmp/ocsp.der
 openssl ocsp -respin /tmp/ocsp.der -noverify -text 2>/dev/null | head -20
 ```
-**What:** Fetches the DER-encoded X.509 CRL for the local issuer.
+**What:** Queries the OCSP responder for a non-revoked certificate without any Authorization header.
-**Why:** Standard CRL consumers (browsers, TLS libraries) expect DER-encoded CRLs, not JSON. The Content-Type must be correct.
+**Why:** OCSP is the real-time alternative to CRL. RFC 6960 relying parties do not authenticate to the responder, so the endpoint must be public and return `Content-Type: application/ocsp-response`.
-**Expected:** `Content-Type: application/pkix-crl`
+**Expected:** HTTP 200 with OCSP response indicating "good" status when `openssl ocsp -respin` parses the body.
-**PASS if** Content-Type is `application/pkix-crl`. **FAIL** if JSON or other.
+**PASS if** HTTP 200 and cert status prints "good". **FAIL** if 401/403/500 or "revoked"/"unknown".
 ---
-**Test 5.3.3 — OCSP: good response for non-revoked cert**
+**Test 5.3.3 — OCSP: revoked response for revoked cert (unauthenticated)**
 ```bash
-curl -s -w "\nHTTP %{http_code}\n" -H "$AUTH" "$SERVER/api/v1/ocsp/iss-local/mc-api-prod"
+curl -s -w "\nHTTP %{http_code}\n" "$SERVER/.well-known/pki/ocsp/iss-local/mc-test-full" -o /tmp/ocsp.der
-```
+openssl ocsp -respin /tmp/ocsp.der -noverify -text 2>/dev/null | grep -i "cert status"
 **What:** Queries the OCSP responder for a non-revoked certificate.
 **Why:** OCSP is the real-time alternative to CRL. A "good" response means the cert is valid.
 **Expected:** HTTP 200 with OCSP response indicating "good" status.
 **PASS if** HTTP 200. **FAIL** if 500.
 ---
 **Test 5.3.4 — OCSP: revoked response for revoked cert**
 ```bash
 curl -s -w "\nHTTP %{http_code}\n" -H "$AUTH" "$SERVER/api/v1/ocsp/iss-local/mc-test-full"
 ```
 **What:** Queries OCSP for a certificate we revoked earlier.
-**Why:** OCSP must return "revoked" status for revoked certs. If it still returns "good," relying parties will trust a compromised certificate.
+**Why:** OCSP must return "revoked" status for revoked certs. If it still returns "good," relying parties will trust a compromised certificate. Endpoint is unauthenticated per RFC 6960.
 **Expected:** HTTP 200 with OCSP response indicating "revoked" status.
-**PASS if** HTTP 200 and response indicates revoked. **FAIL** if response indicates "good".
+**PASS if** HTTP 200 and status prints "revoked". **FAIL** if status is "good".
 ---
-**Test 5.3.5 — OCSP: unknown serial**
+**Test 5.3.4 — OCSP: unknown serial (unauthenticated)**
 ```bash
-curl -s -w "\nHTTP %{http_code}\n" -H "$AUTH" "$SERVER/api/v1/ocsp/iss-local/nonexistent-serial"
+curl -s -w "\nHTTP %{http_code}\n" "$SERVER/.well-known/pki/ocsp/iss-local/nonexistent-serial" -o /tmp/ocsp.der
 openssl ocsp -respin /tmp/ocsp.der -noverify -text 2>/dev/null | grep -i "cert status"
 ```
 **What:** Queries OCSP for a serial number the server doesn't recognize.
-**Why:** OCSP must return "unknown" for serials it doesn't manage, not "good" (which would be a false positive).
+**Why:** OCSP must return "unknown" for serials it doesn't manage, not "good" (which would be a false positive). Endpoint is public per RFC 6960.
 **Expected:** HTTP 200 with OCSP "unknown" response, or HTTP 404.
 **PASS if** response is "unknown" or 404. **FAIL** if "good".
@@ -2102,9 +2095,10 @@ go test ./internal/connector/issuer/local/ -run "TestSubCA" -v
 **What:** In sub-CA mode, the DER CRL (Part 31.1) should be signed by the sub-CA key, not a self-signed root.
 ```bash
-# After starting in sub-CA mode and revoking a cert:
+# After starting in sub-CA mode and revoking a cert. The CRL is
-curl -s -H "Authorization: Bearer $API_KEY" \
+# published unauthenticated under the RFC 8615 well-known namespace
-  "http://localhost:8443/api/v1/crl/iss-local" -o /tmp/subca-crl.der
+# because relying parties don't carry certctl API keys.
 curl -s "http://localhost:8443/.well-known/pki/crl/iss-local" -o /tmp/subca-crl.der
 openssl crl -in /tmp/subca-crl.der -inform DER -noout -issuer
 ```
@@ -3706,23 +3700,24 @@ go test ./internal/service/ -run TestCSRRenewal -v
 **Why:** TLS clients need to verify that certificates haven't been revoked. Without OCSP/CRL, a compromised certificate remains trusted until it expires. The short-lived exemption avoids bloating the CRL with certs that expire before distribution.
-### 24.1: DER-Encoded CRL
+> **M-006 note:** CRL and OCSP are published at `GET /.well-known/pki/crl/{issuer_id}` (RFC 5280 §5, `application/pkix-crl`) and `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (RFC 6960, `application/ocsp-response`). Per RFC 8615, `.well-known/pki/*` is the relying-party namespace, and the endpoints are served **unauthenticated** — browsers, TLS libraries, and network appliances do not have certctl API keys. The legacy `GET /api/v1/crl`, `GET /api/v1/crl/{issuer_id}`, and `GET /api/v1/ocsp/{issuer_id}/{serial}` routes were removed.
-**What:** `GET /api/v1/crl/{issuer_id}` returns a DER-encoded X.509 CRL signed by the issuing CA. Content-Type is `application/pkix-crl`. The CRL has 24-hour validity.
+### 24.1: DER-Encoded CRL (unauthenticated)
-**Why:** This is the standard CRL format that browsers, TLS libraries, and LDAP directories consume. The existing JSON CRL at `GET /api/v1/crl` is certctl-specific; the DER CRL is interoperable.
+**What:** `GET /.well-known/pki/crl/{issuer_id}` returns a DER-encoded X.509 CRL signed by the issuing CA. Content-Type is `application/pkix-crl`. The CRL has 24-hour validity.
 **Why:** This is the RFC 5280 §5 wire format that browsers, TLS libraries, and LDAP directories consume. It must be reachable without any Authorization header so that relying parties — who have no certctl credentials — can fetch it.
 ```bash
-# Request DER CRL for the local issuer
+# Request DER CRL for the local issuer. No Authorization header.
-curl -s -D - -H "Authorization: Bearer $API_KEY" \
+curl -s -D - "http://localhost:8443/.well-known/pki/crl/iss-local" \
  "http://localhost:8443/api/v1/crl/iss-local" \
  -o /tmp/crl.der
 # Verify it's valid DER CRL with openssl
 openssl crl -in /tmp/crl.der -inform DER -noout -text
 ```
-**Expected:** 200 OK, Content-Type `application/pkix-crl`, Cache-Control `public, max-age=3600`.
+**Expected:** 200 OK, Content-Type `application/pkix-crl`.
 **PASS if:**
 - `openssl crl` parses the DER file successfully
@@ -3730,33 +3725,34 @@ openssl crl -in /tmp/crl.der -inform DER -noout -text
 - Validity period is present (thisUpdate / nextUpdate)
 - If any certs have been revoked, they appear in the revocation list with serial + reason
-**FAIL if:** Response is JSON (wrong endpoint), `openssl` rejects the DER format, or headers are wrong.
+**FAIL if:** Response is JSON (wrong endpoint), `openssl` rejects the DER format, headers are wrong, or the server returns 401/403 (auth must NOT be required).
 ### 24.2: DER CRL — Nonexistent Issuer
 ```bash
-curl -s -w "\n%{http_code}" -H "Authorization: Bearer $API_KEY" \
+curl -s -w "\n%{http_code}" \
-  "http://localhost:8443/api/v1/crl/iss-nonexistent"
+  "http://localhost:8443/.well-known/pki/crl/iss-nonexistent"
 ```
 **Expected:** 404 Not Found.
 **PASS if** status code is 404 and body contains "not found".
-### 24.3: OCSP Responder — Good Status
+### 24.3: OCSP Responder — Good Status (unauthenticated)
-**What:** `GET /api/v1/ocsp/{issuer_id}/{serial}` returns a signed OCSP response. For a non-revoked certificate, the status is "good".
+**What:** `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` returns a signed OCSP response. For a non-revoked certificate, the status is "good".
-**Why:** OCSP is the real-time revocation check that TLS clients perform during the handshake. A "good" response tells the client the cert is still valid.
+**Why:** OCSP is the real-time RFC 6960 revocation check that TLS clients perform during the handshake. A "good" response tells the client the cert is still valid. Relying parties fetch this without API credentials.
 ```bash
-# First, get a certificate's serial number
+# First, get a certificate's serial number (this uses the authenticated API
 # because the operator has an API key — that is different from the relying
 # party fetching the OCSP response).
 SERIAL=$(curl -s -H "Authorization: Bearer $API_KEY" \
  "http://localhost:8443/api/v1/certificates/mc-api-prod" | jq -r '.latest_version.serial_number // empty')
-# If serial is available, query OCSP
+# Query OCSP without any Authorization header.
 if [ -n "$SERIAL" ]; then
-  curl -s -D - -H "Authorization: Bearer $API_KEY" \
+  curl -s -D - "http://localhost:8443/.well-known/pki/ocsp/iss-local/$SERIAL" \
    "http://localhost:8443/api/v1/ocsp/iss-local/$SERIAL" \
    -o /tmp/ocsp.der
  # Parse OCSP response
@@ -3771,7 +3767,7 @@ fi
 - Certificate status is "good" for a non-revoked cert
 - Response is signed (producedAt timestamp present)
-**FAIL if:** Response is JSON, OCSP status is wrong, or `openssl` rejects the response.
+**FAIL if:** Response is JSON, OCSP status is wrong, `openssl` rejects the response, or the endpoint requires auth.
 ### 24.4: OCSP Responder — Revoked Status
@@ -3784,9 +3780,8 @@ curl -s -X POST -H "Authorization: Bearer $API_KEY" \
  -d '{"reason": "keyCompromise"}' \
  "http://localhost:8443/api/v1/certificates/$CERT_ID/revoke"
-# Then query OCSP
+# Then query OCSP — unauthenticated.
-curl -s -H "Authorization: Bearer $API_KEY" \
+curl -s "http://localhost:8443/.well-known/pki/ocsp/iss-local/$SERIAL" \
  "http://localhost:8443/api/v1/ocsp/iss-local/$SERIAL" \
  -o /tmp/ocsp-revoked.der
 openssl ocsp -respin /tmp/ocsp-revoked.der -text -noverify
@@ -3801,8 +3796,7 @@ openssl ocsp -respin /tmp/ocsp-revoked.der -text -noverify
 **What:** Querying a serial number that doesn't exist in the inventory returns an "unknown" OCSP status (not an error — this is the correct OCSP behavior per RFC 6960).
 ```bash
-curl -s -H "Authorization: Bearer $API_KEY" \
+curl -s "http://localhost:8443/.well-known/pki/ocsp/iss-local/DEADBEEF" \
  "http://localhost:8443/api/v1/ocsp/iss-local/DEADBEEF" \
  -o /tmp/ocsp-unknown.der
 openssl ocsp -respin /tmp/ocsp-unknown.der -text -noverify
@@ -3820,9 +3814,8 @@ openssl ocsp -respin /tmp/ocsp-unknown.der -text -noverify
 To test: revoke a cert that was issued under the `prof-short-lived` profile, then check the DER CRL. The revoked short-lived cert should NOT appear.
 ```bash
-# After revoking a short-lived cert (serial SHORT_SERIAL):
+# After revoking a short-lived cert (serial SHORT_SERIAL). No auth needed.
-curl -s -H "Authorization: Bearer $API_KEY" \
+curl -s "http://localhost:8443/.well-known/pki/crl/iss-local" -o /tmp/crl.der
  "http://localhost:8443/api/v1/crl/iss-local" -o /tmp/crl.der
 openssl crl -in /tmp/crl.der -inform DER -text | grep -i "$SHORT_SERIAL"
 ```
@@ -247,26 +247,30 @@ func TestGetCertificateVersions_MultiSegment(t *testing.T) {
 }
 // TestHandleOCSP_MultiSegment exercises the OCSP responder's 2-segment path
-// parser (/api/v1/ocsp/{issuer_id}/{serial_hex}). Each leg is attacker-
+// parser (/.well-known/pki/ocsp/{issuer_id}/{serial_hex}). Each leg is
-// controlled and the serial can be arbitrary length. This is a key adversarial
+// attacker-controlled and the serial can be arbitrary length. This is a key
-// surface because the serial is passed directly to the CA-operations service,
+// adversarial surface because the serial is passed directly to the
-// which is expected to treat it as an opaque identifier.
+// CA-operations service, which is expected to treat it as an opaque
 // identifier.
 //
 // M-006 relocation: these paths were previously served at /api/v1/ocsp/*;
 // under RFC 8615 and RFC 6960 they now live under /.well-known/pki/ocsp/*.
 func TestHandleOCSP_MultiSegment(t *testing.T) {
 	cases := []struct {
 		name string
 		path string
 	}{
-		{"missing_serial", "/api/v1/ocsp/iss-local"},
+		{"missing_serial", "/.well-known/pki/ocsp/iss-local"},
-		{"missing_both", "/api/v1/ocsp/"},
+		{"missing_both", "/.well-known/pki/ocsp/"},
-		{"empty_issuer", "/api/v1/ocsp//01ABCDEF"},
+		{"empty_issuer", "/.well-known/pki/ocsp//01ABCDEF"},
-		{"empty_serial", "/api/v1/ocsp/iss-local/"},
+		{"empty_serial", "/.well-known/pki/ocsp/iss-local/"},
-		{"traversal_issuer", "/api/v1/ocsp/..%2F..%2Fetc/passwd/01"},
+		{"traversal_issuer", "/.well-known/pki/ocsp/..%2F..%2Fetc/passwd/01"},
-		{"null_byte_serial", "/api/v1/ocsp/iss-local/01\x00FF"},
+		{"null_byte_serial", "/.well-known/pki/ocsp/iss-local/01\x00FF"},
-		{"sql_injection_serial", "/api/v1/ocsp/iss-local/01'; DROP TABLE--"},
+		{"sql_injection_serial", "/.well-known/pki/ocsp/iss-local/01'; DROP TABLE--"},
-		{"negative_hex_serial", "/api/v1/ocsp/iss-local/-1"},
+		{"negative_hex_serial", "/.well-known/pki/ocsp/iss-local/-1"},
-		{"unicode_serial", "/api/v1/ocsp/iss-local/01\u2010FF"},
+		{"unicode_serial", "/.well-known/pki/ocsp/iss-local/01\u2010FF"},
-		{"extremely_long_serial", "/api/v1/ocsp/iss-local/" + strings.Repeat("F", 10000)},
+		{"extremely_long_serial", "/.well-known/pki/ocsp/iss-local/" + strings.Repeat("F", 10000)},
-		{"extra_segments", "/api/v1/ocsp/iss-local/01FF/extra/segments"},
+		{"extra_segments", "/.well-known/pki/ocsp/iss-local/01FF/extra/segments"},
 	}
 	for _, tc := range cases {
@@ -301,7 +305,9 @@ func TestHandleOCSP_MultiSegment(t *testing.T) {
 	}
 }
-// TestGetDERCRL_IssuerPathInjection exercises /api/v1/crl/{issuer_id}.
+// TestGetDERCRL_IssuerPathInjection exercises
 // /.well-known/pki/crl/{issuer_id} (RFC 5280 CRL; M-006 relocation from
 // /api/v1/crl/{issuer_id}).
 func TestGetDERCRL_IssuerPathInjection(t *testing.T) {
 	for _, tc := range adversarialPathInputs() {
 		t.Run(tc.name, func(t *testing.T) {
@@ -316,8 +322,8 @@ func TestGetDERCRL_IssuerPathInjection(t *testing.T) {
 				return nil, ErrMockNotFound
 			}
-			req := httptest.NewRequest(http.MethodGet, "/api/v1/crl/x", nil)
+			req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/crl/x", nil)
-			req.URL.Path = "/api/v1/crl/" + tc.input
+			req.URL.Path = "/.well-known/pki/crl/" + tc.input
 			req = req.WithContext(contextWithRequestID())
 			w := httptest.NewRecorder()
@@ -37,6 +37,11 @@ type bulkRevokeRequest struct {
 // BulkRevoke handles bulk certificate revocation.
 // POST /api/v1/certificates/bulk-revoke
 //
 // M-003: admin-only. Bulk revocation is a fleet-scale destructive operation —
 // a non-admin caller must not be able to invalidate certificates across
 // profiles/owners/agents. The gate is enforced here (before body parsing) so a
 // non-admin never sees its request criteria evaluated.
 func (h BulkRevocationHandler) BulkRevoke(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPost {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
@@ -45,6 +50,16 @@ func (h BulkRevocationHandler) BulkRevoke(w http.ResponseWriter, r *http.Request
 	requestID := middleware.GetRequestID(r.Context())
 	// M-003: admin-only gate. Non-admin callers are rejected before any
 	// criteria/body processing to avoid leaking validation behavior to
 	// unauthorized actors.
 	if !middleware.IsAdmin(r.Context()) {
 		ErrorWithRequestID(w, http.StatusForbidden,
 			"Bulk revocation requires admin privileges",
 			requestID)
 		return
 	}
 	var req bulkRevokeRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		ErrorWithRequestID(w, http.StatusBadRequest, "Invalid request body", requestID)
@@ -78,11 +93,8 @@ func (h BulkRevocationHandler) BulkRevoke(w http.ResponseWriter, r *http.Request
 		return
 	}
-	// Extract actor from auth context
+	// Extract actor from auth context (M-002: named-key identity → audit trail)
-	actor := "api"
+	actor := resolveActor(r.Context())
 	if user, ok := middleware.GetUser(r.Context()); ok && user != "" {
 		actor = user
 	}
 	result, err := h.svc.BulkRevoke(r.Context(), criteria, req.Reason, actor)
 	if err != nil {
@@ -7,8 +7,10 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/domain"
 )
@@ -24,6 +26,15 @@ func (m *mockBulkRevocationService) BulkRevoke(ctx context.Context, criteria dom
 	return &domain.BulkRevocationResult{}, nil
 }
 // adminContext returns a context carrying the admin flag, mimicking what the
 // auth middleware sets for named-key callers whose entry is admin-tagged.
 // M-003: bulk revocation handler requires admin context to reach the service.
 func adminContext() context.Context {
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id-bulk")
 	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
 	return ctx
 }
 func TestBulkRevoke_Success_WithIDs(t *testing.T) {
 	svc := &mockBulkRevocationService{
 		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
@@ -44,6 +55,7 @@ func TestBulkRevoke_Success_WithIDs(t *testing.T) {
 	body := `{"reason":"keyCompromise","certificate_ids":["mc-1","mc-2"]}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	req = req.WithContext(adminContext())
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
@@ -82,6 +94,7 @@ func TestBulkRevoke_Success_WithProfile(t *testing.T) {
 	body := `{"reason":"keyCompromise","profile_id":"prof-tls"}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	req = req.WithContext(adminContext())
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
@@ -97,6 +110,7 @@ func TestBulkRevoke_MissingReason_400(t *testing.T) {
 	body := `{"certificate_ids":["mc-1"]}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	req = req.WithContext(adminContext())
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
@@ -112,6 +126,7 @@ func TestBulkRevoke_EmptyCriteria_400(t *testing.T) {
 	body := `{"reason":"keyCompromise"}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	req = req.WithContext(adminContext())
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
@@ -127,6 +142,7 @@ func TestBulkRevoke_InvalidReason_400(t *testing.T) {
 	body := `{"reason":"totallyBogus","certificate_ids":["mc-1"]}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	req = req.WithContext(adminContext())
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
@@ -139,6 +155,8 @@ func TestBulkRevoke_InvalidReason_400(t *testing.T) {
 func TestBulkRevoke_MethodNotAllowed_405(t *testing.T) {
 	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
 	// Method check fires before the admin gate, so 405 must hold even for a
 	// non-admin caller — asserting this keeps the ordering explicit.
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/certificates/bulk-revoke", nil)
 	w := httptest.NewRecorder()
@@ -160,6 +178,7 @@ func TestBulkRevoke_ServiceError_500(t *testing.T) {
 	body := `{"reason":"keyCompromise","certificate_ids":["mc-1"]}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	req = req.WithContext(adminContext())
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
@@ -168,3 +187,103 @@ func TestBulkRevoke_ServiceError_500(t *testing.T) {
 		t.Errorf("expected 500, got %d", w.Code)
 	}
 }
 // --- M-003: admin-only gate on bulk revocation ---
 // TestBulkRevoke_NonAdmin_Returns403 is the central authorization regression
 // for M-003. A caller without an admin-tagged context must be rejected with
 // HTTP 403, regardless of how well-formed its body is, and the service layer
 // must never see the request.
 func TestBulkRevoke_NonAdmin_Returns403(t *testing.T) {
 	var serviceCalled bool
 	svc := &mockBulkRevocationService{
 		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
 			serviceCalled = true
 			return &domain.BulkRevocationResult{}, nil
 		},
 	}
 	h := NewBulkRevocationHandler(svc)
 	// Well-formed body + well-formed reason + filter — the only thing
 	// missing is an admin-tagged context. The gate must still fire.
 	body := `{"reason":"keyCompromise","certificate_ids":["mc-1","mc-2"]}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	req = req.WithContext(contextWithRequestID()) // request id only, no admin flag
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected status 403, got %d (body=%q)", w.Code, w.Body.String())
 	}
 	var resp map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
 		t.Fatalf("failed to decode response: %v", err)
 	}
 	msg, _ := resp["message"].(string)
 	if !strings.Contains(strings.ToLower(msg), "admin") {
 		t.Errorf("expected message to mention admin requirement, got %q", msg)
 	}
 	if serviceCalled {
 		t.Errorf("service was invoked despite non-admin caller — gate failed open")
 	}
 }
 // TestBulkRevoke_AdminExplicitFalse_Returns403 pins the specific case where the
 // AdminKey exists but is set to false — e.g., a non-admin named-key caller.
 // Without this we could regress to "key missing == deny, key present == allow"
 // which would silently grant a false flag.
 func TestBulkRevoke_AdminExplicitFalse_Returns403(t *testing.T) {
 	h := NewBulkRevocationHandler(&mockBulkRevocationService{})
 	body := `{"reason":"keyCompromise","certificate_ids":["mc-1"]}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
 	ctx = context.WithValue(ctx, middleware.AdminKey{}, false)
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected status 403 for admin=false, got %d", w.Code)
 	}
 }
 // TestBulkRevoke_AdminPermitted_ForwardsActor confirms the happy path:
 // an admin-tagged context reaches the service and the actor (from the auth
 // UserKey) is propagated through to BulkRevoke. This keeps the admin gate and
 // the M-002 actor-propagation wired together in a single regression.
 func TestBulkRevoke_AdminPermitted_ForwardsActor(t *testing.T) {
 	var capturedActor string
 	svc := &mockBulkRevocationService{
 		BulkRevokeFn: func(ctx context.Context, criteria domain.BulkRevocationCriteria, reason string, actor string) (*domain.BulkRevocationResult, error) {
 			capturedActor = actor
 			return &domain.BulkRevocationResult{TotalMatched: 1, TotalRevoked: 1}, nil
 		},
 	}
 	h := NewBulkRevocationHandler(svc)
 	body := `{"reason":"keyCompromise","certificate_ids":["mc-1"]}`
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/certificates/bulk-revoke", bytes.NewBufferString(body))
 	req.Header.Set("Content-Type", "application/json")
 	ctx := context.WithValue(context.Background(), middleware.RequestIDKey{}, "test-request-id")
 	ctx = context.WithValue(ctx, middleware.AdminKey{}, true)
 	ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	h.BulkRevoke(w, req)
 	if w.Code != http.StatusOK {
 		t.Fatalf("expected status 200 for admin caller, got %d (body=%q)", w.Code, w.Body.String())
 	}
 	if capturedActor != "ops-admin" {
 		t.Errorf("expected actor ops-admin, got %q", capturedActor)
 	}
 }
@@ -1018,127 +1018,13 @@ func TestRevokeCertificate_Handler_ServerError(t *testing.T) {
 	}
 }
-// === CRL Handler Tests ===
+// === CRL and OCSP Handler Tests (RFC 5280 / RFC 6960, served under /.well-known/pki/) ===
-
+//
-func TestGetCRL_Success(t *testing.T) {
+// M-006 relocated these endpoints from /api/v1/crl* and /api/v1/ocsp/* to the
-	mock := &MockCertificateService{
+// RFC-compliant /.well-known/pki/ namespace and deleted the non-standard JSON
-		GetRevokedCertificatesFn: func(_ context.Context) ([]*domain.CertificateRevocation, error) {
+// CRL endpoint. The DER-encoded X.509 CRL (application/pkix-crl) and the
-			return []*domain.CertificateRevocation{
+// DER-encoded OCSP response (application/ocsp-response) are the only wire
-				{
+// formats certctl supports for revocation data.
 					ID:            "rev-1",
 					CertificateID: "cert-1",
 					SerialNumber:  "ABC123",
 					Reason:        "keyCompromise",
 					RevokedAt:     time.Date(2026, 3, 20, 10, 0, 0, 0, time.UTC),
 				},
 				{
 					ID:            "rev-2",
 					CertificateID: "cert-2",
 					SerialNumber:  "DEF456",
 					Reason:        "superseded",
 					RevokedAt:     time.Date(2026, 3, 21, 14, 30, 0, 0, time.UTC),
 				},
 			}, nil
 		},
 	}
 	handler := NewCertificateHandler(mock)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 	handler.GetCRL(w, req)
 	if w.Code != http.StatusOK {
 		t.Errorf("expected status %d, got %d", http.StatusOK, w.Code)
 	}
 	var resp map[string]interface{}
 	json.NewDecoder(w.Body).Decode(&resp)
 	if resp["version"] != float64(1) {
 		t.Errorf("expected version 1, got %v", resp["version"])
 	}
 	if resp["total"] != float64(2) {
 		t.Errorf("expected total 2, got %v", resp["total"])
 	}
 	entries, ok := resp["entries"].([]interface{})
 	if !ok {
 		t.Fatal("expected entries to be an array")
 	}
 	if len(entries) != 2 {
 		t.Errorf("expected 2 entries, got %d", len(entries))
 	}
 	entry1 := entries[0].(map[string]interface{})
 	if entry1["serial_number"] != "ABC123" {
 		t.Errorf("expected serial ABC123, got %v", entry1["serial_number"])
 	}
 	if entry1["revocation_reason"] != "keyCompromise" {
 		t.Errorf("expected reason keyCompromise, got %v", entry1["revocation_reason"])
 	}
 }
 func TestGetCRL_Empty(t *testing.T) {
 	mock := &MockCertificateService{
 		GetRevokedCertificatesFn: func(_ context.Context) ([]*domain.CertificateRevocation, error) {
 			return nil, nil
 		},
 	}
 	handler := NewCertificateHandler(mock)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 	handler.GetCRL(w, req)
 	if w.Code != http.StatusOK {
 		t.Errorf("expected status %d, got %d", http.StatusOK, w.Code)
 	}
 	var resp map[string]interface{}
 	json.NewDecoder(w.Body).Decode(&resp)
 	if resp["total"] != float64(0) {
 		t.Errorf("expected total 0, got %v", resp["total"])
 	}
 }
 func TestGetCRL_ServiceError(t *testing.T) {
 	mock := &MockCertificateService{
 		GetRevokedCertificatesFn: func(_ context.Context) ([]*domain.CertificateRevocation, error) {
 			return nil, fmt.Errorf("revocation repository not configured")
 		},
 	}
 	handler := NewCertificateHandler(mock)
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 	handler.GetCRL(w, req)
 	if w.Code != http.StatusInternalServerError {
 		t.Errorf("expected status %d, got %d", http.StatusInternalServerError, w.Code)
 	}
 }
 func TestGetCRL_MethodNotAllowed(t *testing.T) {
 	mock := &MockCertificateService{}
 	handler := NewCertificateHandler(mock)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/crl", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 	handler.GetCRL(w, req)
 	if w.Code != http.StatusMethodNotAllowed {
 		t.Errorf("expected status %d, got %d", http.StatusMethodNotAllowed, w.Code)
 	}
 }
 // M15b: DER CRL and OCSP Handler Tests
 func TestGetDERCRL_Success(t *testing.T) {
 	derCRLData := []byte{0x30, 0x82, 0x01, 0x00} // Mock DER CRL bytes
@@ -1152,7 +1038,7 @@ func TestGetDERCRL_Success(t *testing.T) {
 	}
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl/iss-local", nil)
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/crl/iss-local", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
@@ -1167,6 +1053,9 @@ func TestGetDERCRL_Success(t *testing.T) {
 	if len(responseBody) == 0 {
 		t.Error("expected non-empty response body")
 	}
 	if ct := w.Header().Get("Content-Type"); ct != "application/pkix-crl" {
 		t.Errorf("expected Content-Type application/pkix-crl, got %q", ct)
 	}
 }
 func TestGetDERCRL_IssuerNotFound(t *testing.T) {
@@ -1177,7 +1066,7 @@ func TestGetDERCRL_IssuerNotFound(t *testing.T) {
 	}
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl/nonexistent", nil)
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/crl/nonexistent", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
@@ -1196,7 +1085,7 @@ func TestGetDERCRL_NotSupported(t *testing.T) {
 	}
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/crl/iss-acme", nil)
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/crl/iss-acme", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
@@ -1211,7 +1100,7 @@ func TestGetDERCRL_NotSupported(t *testing.T) {
 func TestGetDERCRL_MethodNotAllowed(t *testing.T) {
 	mock := &MockCertificateService{}
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodPost, "/api/v1/crl/iss-local", nil)
+	req := httptest.NewRequest(http.MethodPost, "/.well-known/pki/crl/iss-local", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
@@ -1234,7 +1123,7 @@ func TestHandleOCSP_Success(t *testing.T) {
 	}
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/ocsp/iss-local/12345", nil)
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/ocsp/iss-local/12345", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
@@ -1248,12 +1137,15 @@ func TestHandleOCSP_Success(t *testing.T) {
 	if len(responseBody) == 0 {
 		t.Error("expected non-empty OCSP response body")
 	}
 	if ct := w.Header().Get("Content-Type"); ct != "application/ocsp-response" {
 		t.Errorf("expected Content-Type application/ocsp-response, got %q", ct)
 	}
 }
 func TestHandleOCSP_MissingSerial(t *testing.T) {
 	mock := &MockCertificateService{}
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/ocsp/iss-local/", nil)
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/ocsp/iss-local/", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
@@ -1272,7 +1164,7 @@ func TestHandleOCSP_IssuerNotFound(t *testing.T) {
 	}
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/ocsp/nonexistent/ABC123", nil)
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/ocsp/nonexistent/ABC123", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
@@ -1291,7 +1183,7 @@ func TestHandleOCSP_CertNotFound(t *testing.T) {
 	}
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodGet, "/api/v1/ocsp/iss-local/UNKNOWN", nil)
+	req := httptest.NewRequest(http.MethodGet, "/.well-known/pki/ocsp/iss-local/UNKNOWN", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
@@ -1305,7 +1197,7 @@ func TestHandleOCSP_CertNotFound(t *testing.T) {
 func TestHandleOCSP_MethodNotAllowed(t *testing.T) {
 	mock := &MockCertificateService{}
 	handler := NewCertificateHandler(mock)
-	req := httptest.NewRequest(http.MethodPost, "/api/v1/ocsp/iss-local/12345", nil)
+	req := httptest.NewRequest(http.MethodPost, "/.well-known/pki/ocsp/iss-local/12345", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
@@ -411,7 +411,9 @@ func (h CertificateHandler) TriggerRenewal(w http.ResponseWriter, r *http.Reques
 	}
 	certID := parts[0]
-	if err := h.svc.TriggerRenewal(r.Context(), certID, "api"); err != nil {
+	actor := resolveActor(r.Context())
 	if err := h.svc.TriggerRenewal(r.Context(), certID, actor); err != nil {
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Certificate not found", requestID)
@@ -467,7 +469,9 @@ func (h CertificateHandler) TriggerDeployment(w http.ResponseWriter, r *http.Req
 		}
 	}
-	if err := h.svc.TriggerDeployment(r.Context(), certID, req.TargetID, "api"); err != nil {
+	actor := resolveActor(r.Context())
 	if err := h.svc.TriggerDeployment(r.Context(), certID, req.TargetID, actor); err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to trigger deployment", requestID)
 		return
 	}
@@ -509,7 +513,9 @@ func (h CertificateHandler) RevokeCertificate(w http.ResponseWriter, r *http.Req
 		}
 	}
-	if err := h.svc.RevokeCertificate(r.Context(), certID, req.Reason, "api"); err != nil {
+	actor := resolveActor(r.Context())
 	if err := h.svc.RevokeCertificate(r.Context(), certID, req.Reason, actor); err != nil {
 		// Distinguish between client errors and server errors
 		errMsg := err.Error()
 		if strings.Contains(errMsg, "already revoked") ||
@@ -529,49 +535,12 @@ func (h CertificateHandler) RevokeCertificate(w http.ResponseWriter, r *http.Req
 	JSON(w, http.StatusOK, map[string]string{"status": "revoked"})
 }
 // GetCRL returns the Certificate Revocation List as structured JSON.
 // GET /api/v1/crl
 // Note: DER-encoded X.509 CRL generation (requiring CA key access) is planned for M15b
 // alongside the embedded OCSP responder. This endpoint provides the same data in JSON format.
 func (h CertificateHandler) GetCRL(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodGet {
 		Error(w, http.StatusMethodNotAllowed, "Method not allowed")
 		return
 	}
 	requestID := middleware.GetRequestID(r.Context())
 	revocations, err := h.svc.GetRevokedCertificates(r.Context())
 	if err != nil {
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to generate CRL", requestID)
 		return
 	}
 	type CRLEntry struct {
 		SerialNumber     string `json:"serial_number"`
 		RevocationDate   string `json:"revocation_date"`
 		RevocationReason string `json:"revocation_reason"`
 	}
 	entries := make([]CRLEntry, 0, len(revocations))
 	for _, rev := range revocations {
 		entries = append(entries, CRLEntry{
 			SerialNumber:     rev.SerialNumber,
 			RevocationDate:   rev.RevokedAt.Format("2006-01-02T15:04:05Z"),
 			RevocationReason: rev.Reason,
 		})
 	}
 	JSON(w, http.StatusOK, map[string]interface{}{
 		"version":      1,
 		"entries":      entries,
 		"total":        len(entries),
 		"generated_at": time.Now().UTC().Format("2006-01-02T15:04:05Z"),
 	})
 }
 // GetDERCRL returns a DER-encoded X.509 CRL signed by the specified issuer.
-// GET /api/v1/crl/{issuer_id}
+// GET /.well-known/pki/crl/{issuer_id}
 //
 // RFC 5280 § 5. Served unauthenticated under the /.well-known/pki/ namespace so
 // relying parties (browsers, OpenSSL, OCSP stapling sidecars) can fetch the CRL
 // without presenting certctl API credentials.
 func (h CertificateHandler) GetDERCRL(w http.ResponseWriter, r *http.Request) {
 	requestID, _ := r.Context().Value("request_id").(string)
@@ -580,7 +549,7 @@ func (h CertificateHandler) GetDERCRL(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	issuerID := strings.TrimPrefix(r.URL.Path, "/api/v1/crl/")
+	issuerID := strings.TrimPrefix(r.URL.Path, "/.well-known/pki/crl/")
 	if issuerID == "" {
 		ErrorWithRequestID(w, http.StatusBadRequest, "Issuer ID is required", requestID)
 		return
@@ -608,8 +577,11 @@ func (h CertificateHandler) GetDERCRL(w http.ResponseWriter, r *http.Request) {
 }
 // HandleOCSP processes OCSP requests.
-// GET /api/v1/ocsp/{issuer_id}/{serial_hex}
+// GET /.well-known/pki/ocsp/{issuer_id}/{serial_hex}
-// For simplicity, use GET with path params instead of binary POST.
+//
 // RFC 6960. Served unauthenticated under the /.well-known/pki/ namespace. For
 // simplicity we accept GET with path params rather than the binary POST body
 // form — the response is a valid DER-encoded OCSP response either way.
 func (h CertificateHandler) HandleOCSP(w http.ResponseWriter, r *http.Request) {
 	requestID, _ := r.Context().Value("request_id").(string)
@@ -618,8 +590,8 @@ func (h CertificateHandler) HandleOCSP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	// Extract issuer_id and serial from path: /api/v1/ocsp/{issuer_id}/{serial_hex}
+	// Extract issuer_id and serial from path: /.well-known/pki/ocsp/{issuer_id}/{serial_hex}
-	path := strings.TrimPrefix(r.URL.Path, "/api/v1/ocsp/")
+	path := strings.TrimPrefix(r.URL.Path, "/.well-known/pki/ocsp/")
 	parts := strings.SplitN(path, "/", 2)
 	if len(parts) < 2 || parts[0] == "" || parts[1] == "" {
 		ErrorWithRequestID(w, http.StatusBadRequest, "Issuer ID and serial number are required", requestID)
@@ -2,6 +2,8 @@ package handler
 import (
 	"net/http"
 	"github.com/shankar0123/certctl/internal/api/middleware"
 )
 // HealthHandler handles health and readiness check endpoints.
@@ -55,9 +57,23 @@ func (h HealthHandler) AuthInfo(w http.ResponseWriter, r *http.Request) {
 	JSON(w, http.StatusOK, response)
 }
-// AuthCheck returns 200 if the request has valid auth credentials.
+// AuthCheck returns 200 if the request has valid auth credentials, along with
-// The auth middleware runs before this handler, so reaching here means auth passed.
+// the resolved named-key identity and admin flag so the GUI can gate
 // admin-only affordances (e.g., the bulk-revoke button).
 //
 // M-003 (Phase B.4): surface the admin flag so the frontend hides affordances
 // that would otherwise 403 at the server. This is a hint for UX only —
 // authorization remains enforced at the handler layer (bulk_revocation.go).
 //
 // The auth middleware runs before this handler, so reaching here means auth
 // passed. `user` falls back to an empty string when auth is disabled
 // (CERTCTL_AUTH_TYPE=none).
 // GET /api/v1/auth/check
 func (h HealthHandler) AuthCheck(w http.ResponseWriter, r *http.Request) {
-	JSON(w, http.StatusOK, map[string]string{"status": "authenticated"})
+	response := map[string]interface{}{
 		"status": "authenticated",
 		"user":   middleware.GetUser(r.Context()),
 		"admin":  middleware.IsAdmin(r.Context()),
 	}
 	JSON(w, http.StatusOK, response)
 }
@@ -1,10 +1,13 @@
 package handler
 import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"github.com/shankar0123/certctl/internal/api/middleware"
 )
 func TestHealth_ReturnsOK(t *testing.T) {
@@ -204,8 +207,8 @@ func TestAuthCheck_ReturnsOK(t *testing.T) {
 		t.Errorf("Content-Type = %q, want application/json", ct)
 	}
-	// Check response body
+	// Check response body — mixed-value map (string + bool) post-Phase B.4.
-	var result map[string]string
+	var result map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
 		t.Fatalf("failed to decode response: %v", err)
 	}
@@ -232,3 +235,113 @@ func TestAuthCheck_MethodNotAllowed(t *testing.T) {
 		t.Logf("AuthCheck returned status %d (note: method not enforced in handler)", status)
 	}
 }
 // --- M-003 (Phase B.4): /auth/check surfaces admin flag + user identity ---
 // TestAuthCheck_AdminCaller_ReportsAdminTrue confirms that when the auth
 // middleware sets AdminKey{}=true (i.e., named key was admin-tagged), the
 // /auth/check endpoint reports admin=true so the GUI can show admin-only
 // affordances.
 func TestAuthCheck_AdminCaller_ReportsAdminTrue(t *testing.T) {
 	handler := NewHealthHandler("api-key")
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/check", nil)
 	ctx := context.WithValue(req.Context(), middleware.AdminKey{}, true)
 	ctx = context.WithValue(ctx, middleware.UserKey{}, "ops-admin")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	handler.AuthCheck(w, req)
 	if w.Code != http.StatusOK {
 		t.Fatalf("expected status 200, got %d", w.Code)
 	}
 	var result map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
 		t.Fatalf("failed to decode response: %v", err)
 	}
 	if result["status"] != "authenticated" {
 		t.Errorf("status = %q, want authenticated", result["status"])
 	}
 	admin, ok := result["admin"].(bool)
 	if !ok {
 		t.Fatalf("admin field missing or wrong type: %T", result["admin"])
 	}
 	if !admin {
 		t.Errorf("admin = false, want true")
 	}
 	if result["user"] != "ops-admin" {
 		t.Errorf("user = %q, want ops-admin", result["user"])
 	}
 }
 // TestAuthCheck_NonAdminCaller_ReportsAdminFalse pins the negative case: the
 // auth middleware has stored AdminKey{}=false (non-admin named key) — the
 // endpoint must report admin=false so the GUI hides admin-only affordances.
 func TestAuthCheck_NonAdminCaller_ReportsAdminFalse(t *testing.T) {
 	handler := NewHealthHandler("api-key")
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/check", nil)
 	ctx := context.WithValue(req.Context(), middleware.AdminKey{}, false)
 	ctx = context.WithValue(ctx, middleware.UserKey{}, "alice")
 	req = req.WithContext(ctx)
 	w := httptest.NewRecorder()
 	handler.AuthCheck(w, req)
 	if w.Code != http.StatusOK {
 		t.Fatalf("expected status 200, got %d", w.Code)
 	}
 	var result map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
 		t.Fatalf("failed to decode response: %v", err)
 	}
 	admin, ok := result["admin"].(bool)
 	if !ok {
 		t.Fatalf("admin field missing or wrong type: %T", result["admin"])
 	}
 	if admin {
 		t.Errorf("admin = true, want false")
 	}
 	if result["user"] != "alice" {
 		t.Errorf("user = %q, want alice", result["user"])
 	}
 }
 // TestAuthCheck_NoAuthContext_DefaultsToEmptyUserAndFalseAdmin covers the
 // CERTCTL_AUTH_TYPE=none deployment, where the auth middleware doesn't set
 // any keys. Response must still be well-formed with empty user + admin=false.
 func TestAuthCheck_NoAuthContext_DefaultsToEmptyUserAndFalseAdmin(t *testing.T) {
 	handler := NewHealthHandler("none")
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/auth/check", nil)
 	w := httptest.NewRecorder()
 	handler.AuthCheck(w, req)
 	if w.Code != http.StatusOK {
 		t.Fatalf("expected status 200, got %d", w.Code)
 	}
 	var result map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&result); err != nil {
 		t.Fatalf("failed to decode response: %v", err)
 	}
 	if result["status"] != "authenticated" {
 		t.Errorf("status = %q, want authenticated", result["status"])
 	}
 	admin, ok := result["admin"].(bool)
 	if !ok {
 		t.Fatalf("admin field missing or wrong type: %T", result["admin"])
 	}
 	if admin {
 		t.Errorf("admin = true for no-auth context, want false")
 	}
 	if result["user"] != "" {
 		t.Errorf("user = %q, want empty string", result["user"])
 	}
 }
@@ -11,15 +11,18 @@ import (
 	"time"
 	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/service"
 )
 // MockJobService is a mock implementation of JobService interface.
 // Approve/Reject closures now take the actor string so tests can assert
 // actor propagation from the auth middleware → handler → service.
 type MockJobService struct {
 	ListJobsFn   func(status, jobType string, page, perPage int) ([]domain.Job, int64, error)
 	GetJobFn     func(id string) (*domain.Job, error)
 	CancelJobFn  func(id string) error
-	ApproveJobFn func(id string) error
+	ApproveJobFn func(id, actor string) error
-	RejectJobFn  func(id string, reason string) error
+	RejectJobFn  func(id, reason, actor string) error
 }
 func (m *MockJobService) ListJobs(_ context.Context, status, jobType string, page, perPage int) ([]domain.Job, int64, error) {
@@ -43,16 +46,16 @@ func (m *MockJobService) CancelJob(_ context.Context, id string) error {
 	return nil
 }
-func (m *MockJobService) ApproveJob(_ context.Context, id string) error {
+func (m *MockJobService) ApproveJob(_ context.Context, id, actor string) error {
 	if m.ApproveJobFn != nil {
-		return m.ApproveJobFn(id)
+		return m.ApproveJobFn(id, actor)
 	}
 	return nil
 }
-func (m *MockJobService) RejectJob(_ context.Context, id string, reason string) error {
+func (m *MockJobService) RejectJob(_ context.Context, id, reason, actor string) error {
 	if m.RejectJobFn != nil {
-		return m.RejectJobFn(id, reason)
+		return m.RejectJobFn(id, reason, actor)
 	}
 	return nil
 }
@@ -348,7 +351,7 @@ func TestCancelJob_EmptyID(t *testing.T) {
 func TestApproveJob_Success(t *testing.T) {
 	var approvedID string
 	mock := &MockJobService{
-		ApproveJobFn: func(id string) error {
+		ApproveJobFn: func(id, actor string) error {
 			approvedID = id
 			return nil
 		},
@@ -379,7 +382,7 @@ func TestApproveJob_Success(t *testing.T) {
 func TestApproveJob_NotFound(t *testing.T) {
 	mock := &MockJobService{
-		ApproveJobFn: func(id string) error {
+		ApproveJobFn: func(id, actor string) error {
 			return fmt.Errorf("job not found: no rows")
 		},
 	}
@@ -398,7 +401,7 @@ func TestApproveJob_NotFound(t *testing.T) {
 func TestApproveJob_BadStatus(t *testing.T) {
 	mock := &MockJobService{
-		ApproveJobFn: func(id string) error {
+		ApproveJobFn: func(id, actor string) error {
 			return fmt.Errorf("cannot approve job with status Running")
 		},
 	}
@@ -427,10 +430,56 @@ func TestApproveJob_MethodNotAllowed(t *testing.T) {
 	}
 }
 // TestApproveJob_SelfApproval_Returns403 verifies the M-003 separation-of-duties
 // wire: when the service returns ErrSelfApproval the handler must surface HTTP
 // 403 Forbidden (NOT 500). The error sentinel crosses the service boundary via
 // errors.Is so the handler can pattern-match regardless of any fmt.Errorf
 // wrapping that may be added later.
 func TestApproveJob_SelfApproval_Returns403(t *testing.T) {
 	var capturedActor string
 	mock := &MockJobService{
 		ApproveJobFn: func(id, actor string) error {
 			capturedActor = actor
 			return service.ErrSelfApproval
 		},
 	}
 	h := NewJobHandler(mock)
 	req := httptest.NewRequest(http.MethodPost, "/api/v1/jobs/job-self/approve", nil)
 	req = req.WithContext(contextWithRequestID())
 	w := httptest.NewRecorder()
 	h.ApproveJob(w, req)
 	if w.Code != http.StatusForbidden {
 		t.Fatalf("expected status 403, got %d", w.Code)
 	}
 	var resp map[string]any
 	if err := json.NewDecoder(w.Body).Decode(&resp); err != nil {
 		t.Fatalf("failed to decode response: %v", err)
 	}
 	// Response body should name the self-approval condition explicitly so
 	// operators triaging a 403 can distinguish it from other forbid paths.
 	// The ErrorResponse envelope uses "error" for the status text and
 	// "message" for the human-readable explanation — we assert on message.
 	msg, _ := resp["message"].(string)
 	if !strings.Contains(strings.ToLower(msg), "self-approval") {
 		t.Errorf("expected message to mention self-approval, got %q", msg)
 	}
 	// The handler resolves the actor from the auth context; in this test the
 	// request has no auth context, so the propagated actor is the anonymous
 	// fallback ("" or "anonymous" depending on middleware wiring). We only
 	// assert the closure observed *some* actor string — the detailed actor
 	// threading is covered by resolveActor unit tests.
 	_ = capturedActor
 }
 func TestRejectJob_Success(t *testing.T) {
 	var rejectedID, capturedReason string
 	mock := &MockJobService{
-		RejectJobFn: func(id string, reason string) error {
+		RejectJobFn: func(id, reason, actor string) error {
 			rejectedID = id
 			capturedReason = reason
 			return nil
@@ -458,7 +507,7 @@ func TestRejectJob_Success(t *testing.T) {
 func TestRejectJob_NoReason(t *testing.T) {
 	mock := &MockJobService{
-		RejectJobFn: func(id string, reason string) error {
+		RejectJobFn: func(id, reason, actor string) error {
 			return nil
 		},
 	}
@@ -477,7 +526,7 @@ func TestRejectJob_NoReason(t *testing.T) {
 func TestRejectJob_NotFound(t *testing.T) {
 	mock := &MockJobService{
-		RejectJobFn: func(id string, reason string) error {
+		RejectJobFn: func(id, reason, actor string) error {
 			return fmt.Errorf("job not found: no rows")
 		},
 	}
@@ -3,6 +3,7 @@ package handler
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"io"
 	"net/http"
 	"strconv"
@@ -10,6 +11,7 @@ import (
 	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/service"
 )
 // JobService defines the service interface for job operations.
@@ -17,8 +19,13 @@ type JobService interface {
 	ListJobs(ctx context.Context, status, jobType string, page, perPage int) ([]domain.Job, int64, error)
 	GetJob(ctx context.Context, id string) (*domain.Job, error)
 	CancelJob(ctx context.Context, id string) error
-	ApproveJob(ctx context.Context, id string) error
+	// ApproveJob approves a renewal job. actor is the named-key identity
-	RejectJob(ctx context.Context, id string, reason string) error
+	// resolved from the auth middleware; the service returns ErrSelfApproval
 	// (mapped to 403) when actor matches the certificate owner.
 	ApproveJob(ctx context.Context, id, actor string) error
 	// RejectJob rejects a renewal job. actor is the named-key identity
 	// recorded for audit attribution; no not-self restriction.
 	RejectJob(ctx context.Context, id, reason, actor string) error
 }
 // JobHandler handles HTTP requests for job operations.
@@ -150,7 +157,16 @@ func (h JobHandler) ApproveJob(w http.ResponseWriter, r *http.Request) {
 	}
 	jobID := parts[0]
-	if err := h.svc.ApproveJob(r.Context(), jobID); err != nil {
+	actor := resolveActor(r.Context())
 	if err := h.svc.ApproveJob(r.Context(), jobID, actor); err != nil {
 		// M-003: self-approval by the certificate owner is forbidden.
 		if errors.Is(err, service.ErrSelfApproval) {
 			ErrorWithRequestID(w, http.StatusForbidden,
 				"Self-approval is forbidden: the certificate owner cannot approve their own renewal",
 				requestID)
 			return
 		}
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Job not found", requestID)
 			return
@@ -194,7 +210,9 @@ func (h JobHandler) RejectJob(w http.ResponseWriter, r *http.Request) {
 		}
 	}
-	if err := h.svc.RejectJob(r.Context(), jobID, body.Reason); err != nil {
+	actor := resolveActor(r.Context())
 	if err := h.svc.RejectJob(r.Context(), jobID, body.Reason, actor); err != nil {
 		if strings.Contains(err.Error(), "not found") {
 			ErrorWithRequestID(w, http.StatusNotFound, "Job not found", requestID)
 			return
@@ -1,14 +1,34 @@
 package handler
 import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/shankar0123/certctl/internal/api/middleware"
 )
 // resolveActor extracts the authenticated named-key identity from the request
 // context for audit-trail attribution. Returns the named-key name when set by
 // the auth middleware, or "api" as a safe sentinel when the auth middleware
 // did not populate the context (e.g., AUTH_TYPE=none, or internal/system calls
 // that bypass auth).
 //
 // Post-M-002: this is the single source of truth for handler-layer actor
 // resolution. Handlers must NOT hardcode string literals like "api-key-user"
 // or "api" — always go through this helper so the named-key identity flows to
 // services and the audit trail.
 func resolveActor(ctx context.Context) string {
 	if user := middleware.GetUser(ctx); user != "" {
 		return user
 	}
 	return "api"
 }
 // PagedResponse represents a paginated API response.
 type PagedResponse struct {
 	Data    interface{} `json:"data"`
@@ -115,7 +115,7 @@ func (a *AuditMiddleware) Middleware(next http.Handler) http.Handler {
 		// Extract actor from auth context
 		actor := "anonymous"
-		if user, ok := GetUser(r.Context()); ok && user != "" {
+		if user := GetUser(r.Context()); user != "" {
 			actor = user
 		}
@@ -269,8 +269,9 @@ func TestAuditLog_ExtractsAuthenticatedActor(t *testing.T) {
 	}))
 	req := httptest.NewRequest(http.MethodDelete, "/api/v1/certificates/mc-1", nil)
-	// Simulate auth middleware having set the user in context
+	// Simulate auth middleware having set the named-key identity in context
-	ctx := context.WithValue(req.Context(), UserKey{}, "api-key-user")
+	// (post-M-002: actor is the named-key name, not the old "api-key-user").
 	ctx := context.WithValue(req.Context(), UserKey{}, "ops-admin")
 	req = req.WithContext(ctx)
 	rr := httptest.NewRecorder()
@@ -284,8 +285,8 @@ func TestAuditLog_ExtractsAuthenticatedActor(t *testing.T) {
 	if len(calls) != 1 {
 		t.Fatalf("expected 1 audit call, got %d", len(calls))
 	}
-	if calls[0].Actor != "api-key-user" {
+	if calls[0].Actor != "ops-admin" {
-		t.Errorf("expected actor api-key-user, got %s", calls[0].Actor)
+		t.Errorf("expected actor ops-admin, got %s", calls[0].Actor)
 	}
 	if calls[0].Method != "DELETE" {
 		t.Errorf("expected method DELETE, got %s", calls[0].Method)
@@ -22,6 +22,16 @@ type RequestIDKey struct{}
 // UserKey is the context key for storing authenticated user information.
 type UserKey struct{}
 // AdminKey is the context key for storing admin flag information.
 type AdminKey struct{}
 // NamedAPIKey represents a named API key with optional admin flag.
 type NamedAPIKey struct {
 	Name  string
 	Key   string
 	Admin bool
 }
 // RequestID middleware generates a unique request ID and adds it to the request context and response headers.
 func RequestID(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -115,32 +125,32 @@ type AuthConfig struct {
 // NewAuth creates an authentication middleware based on config.
 // When Type is "none", all requests pass through (demo/development mode).
 // When Type is "api-key", requests must include a valid Bearer token.
-// The Secret field supports a comma-separated list of valid API keys for
+// Named keys are supported via []NamedAPIKey input.
-// zero-downtime key rotation. Rotation workflow:
+func NewAuthWithNamedKeys(namedKeys []NamedAPIKey) func(http.Handler) http.Handler {
-//  1. Add new key to comma-separated list, restart server
+	if len(namedKeys) == 0 {
 //  2. Update all agents/clients to use new key
 //  3. Remove old key from list, restart server
 func NewAuth(cfg AuthConfig) func(http.Handler) http.Handler {
 	if cfg.Type == "none" {
 		return func(next http.Handler) http.Handler {
 			return next
 		}
 	}
 	// Pre-compute hashes of all valid keys for constant-time comparison.
-	// Supports comma-separated list for zero-downtime key rotation.
+	type keyEntry struct {
-	keys := strings.Split(cfg.Secret, ",")
+		hash  string
-	var expectedHashes []string
+		name  string
-	for _, k := range keys {
+		admin bool
-		k = strings.TrimSpace(k)
+	}
-		if k != "" {
+	var entries []keyEntry
-			expectedHashes = append(expectedHashes, HashAPIKey(k))
+	for _, nk := range namedKeys {
-		}
+		entries = append(entries, keyEntry{
 			hash:  HashAPIKey(nk.Key),
 			name:  nk.Name,
 			admin: nk.Admin,
 		})
 	}
 	// Warn if only one key is configured in production mode
-	if len(expectedHashes) == 1 {
+	if len(entries) == 1 {
-		slog.Warn("only one API key configured — consider adding a rotation key via comma-separated CERTCTL_AUTH_SECRET for zero-downtime rotation")
+		slog.Warn("only one API key configured — consider adding a rotation key for zero-downtime rotation")
 	}
 	return func(next http.Handler) http.Handler {
@@ -164,27 +174,60 @@ func NewAuth(cfg AuthConfig) func(http.Handler) http.Handler {
 			tokenHash := HashAPIKey(token)
 			// Check against all valid keys using constant-time comparison
-			authorized := false
+			var matched *keyEntry
-			for _, expectedHash := range expectedHashes {
+			for i := range entries {
-				if subtle.ConstantTimeCompare([]byte(tokenHash), []byte(expectedHash)) == 1 {
+				if subtle.ConstantTimeCompare([]byte(tokenHash), []byte(entries[i].hash)) == 1 {
-					authorized = true
+					matched = &entries[i]
 					break
 				}
 			}
-			if !authorized {
+			if matched == nil {
 				w.Header().Set("Content-Type", "application/json; charset=utf-8")
 				http.Error(w, `{"error":"Invalid API key"}`, http.StatusUnauthorized)
 				return
 			}
-			// Store the authenticated identity in context
+			// Store the authenticated identity and admin flag in context
-			ctx := context.WithValue(r.Context(), UserKey{}, "api-key-user")
+			ctx := context.WithValue(r.Context(), UserKey{}, matched.name)
 			ctx = context.WithValue(ctx, AdminKey{}, matched.admin)
 			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
 }
 // NewAuth is a legacy shim that converts a comma-separated Secret list into
 // synthesized legacy-key-N named entries and delegates to NewAuthWithNamedKeys.
 // It preserves the pre-M-002 behavior for callers that still pass raw AuthConfig
 // (primarily cmd/server/main_test.go). The synthesized actor is "legacy-key-N"
 // rather than the old hardcoded "api-key-user" so audit events carry
 // meaningful identity even on the legacy path.
 //
 // Deprecated: Use NewAuthWithNamedKeys with explicit NamedAPIKey entries.
 func NewAuth(cfg AuthConfig) func(http.Handler) http.Handler {
 	if cfg.Type == "none" {
 		return func(next http.Handler) http.Handler {
 			return next
 		}
 	}
 	var namedKeys []NamedAPIKey
 	idx := 0
 	for _, k := range strings.Split(cfg.Secret, ",") {
 		k = strings.TrimSpace(k)
 		if k == "" {
 			continue
 		}
 		namedKeys = append(namedKeys, NamedAPIKey{
 			Name:  fmt.Sprintf("legacy-key-%d", idx),
 			Key:   k,
 			Admin: false,
 		})
 		idx++
 	}
 	return NewAuthWithNamedKeys(namedKeys)
 }
 // RateLimitConfig holds configuration for the rate limiter.
 type RateLimitConfig struct {
 	RPS       float64 // Requests per second
@@ -344,9 +387,20 @@ func getRequestID(ctx context.Context) string {
 }
 // GetUser extracts the authenticated user from context.
-func GetUser(ctx context.Context) (string, bool) {
+// Returns the name of the matched API key and whether it was found.
 func GetUser(ctx context.Context) string {
 	user, ok := ctx.Value(UserKey{}).(string)
-	return user, ok
+	if !ok {
 		return ""
 	}
 	return user
 }
 // IsAdmin extracts the admin flag from context.
 // Returns true if the authenticated user has admin privileges.
 func IsAdmin(ctx context.Context) bool {
 	admin, ok := ctx.Value(AdminKey{}).(bool)
 	return ok && admin
 }
 // responseWriter wraps http.ResponseWriter to capture the status code.
@@ -109,12 +109,10 @@ func (r *Router) RegisterHandlers(reg HandlerRegistry) {
 	r.Register("GET /api/v1/certificates/{id}/export/pem", http.HandlerFunc(reg.Export.ExportPEM))
 	r.Register("POST /api/v1/certificates/{id}/export/pkcs12", http.HandlerFunc(reg.Export.ExportPKCS12))
-	// CRL endpoints: /api/v1/crl (JSON) and /api/v1/crl/{issuer_id} (DER)
+	// NOTE: RFC 5280 CRL and RFC 6960 OCSP endpoints are registered separately
-	r.Register("GET /api/v1/crl", http.HandlerFunc(reg.Certificates.GetCRL))
+	// via RegisterPKIHandlers under /.well-known/pki/ so relying parties can
-	r.Register("GET /api/v1/crl/{issuer_id}", http.HandlerFunc(reg.Certificates.GetDERCRL))
+	// fetch them without presenting certctl API credentials. The legacy
-
+	// /api/v1/crl and /api/v1/ocsp paths have been retired (see M-006).
 	// OCSP responder: /api/v1/ocsp/{issuer_id}/{serial}
 	r.Register("GET /api/v1/ocsp/{issuer_id}/{serial}", http.HandlerFunc(reg.Certificates.HandleOCSP))
 	// Issuers routes: /api/v1/issuers
 	r.Register("GET /api/v1/issuers", http.HandlerFunc(reg.Issuers.ListIssuers))
@@ -262,6 +260,21 @@ func (r *Router) RegisterSCEPHandlers(scep handler.SCEPHandler) {
 	r.Register("POST /scep", http.HandlerFunc(scep.HandleSCEP))
 }
 // RegisterPKIHandlers sets up RFC 5280 CRL and RFC 6960 OCSP routes under
 // /.well-known/pki/. These endpoints are intentionally unauthenticated so
 // relying parties (browsers, OpenSSL, OCSP stapling sidecars, mTLS clients)
 // can fetch revocation data without presenting certctl API credentials.
 // The response bodies are DER-encoded and carry the IANA-registered content
 // types application/pkix-crl and application/ocsp-response.
 //
 // Precedent: EST (RFC 7030) and SCEP (RFC 8894) follow the same pattern —
 // standards-defined wire formats served via a dedicated router registration
 // that cmd/server wires into a no-auth middleware chain.
 func (r *Router) RegisterPKIHandlers(pki handler.CertificateHandler) {
 	r.Register("GET /.well-known/pki/crl/{issuer_id}", http.HandlerFunc(pki.GetDERCRL))
 	r.Register("GET /.well-known/pki/ocsp/{issuer_id}/{serial}", http.HandlerFunc(pki.HandleOCSP))
 }
 // GetMux returns the underlying http.ServeMux for direct access if needed.
 func (r *Router) GetMux() *http.ServeMux {
 	return r.mux
@@ -138,10 +138,9 @@ func TestRegisterHandlers_RoutesDispatch(t *testing.T) {
 		// Export
 		{"GET", "/api/v1/certificates/mc-test/export/pem"},
-		// CRL & OCSP
+		// NOTE: CRL/OCSP moved out of /api/v1/* in M-006. They are now served
-		{"GET", "/api/v1/crl"},
+		// unauthenticated at /.well-known/pki/* via RegisterPKIHandlers and
-		{"GET", "/api/v1/crl/iss-local"},
+		// are verified in TestRegisterPKIHandlers_AllPaths below.
 		{"GET", "/api/v1/ocsp/iss-local/12345"},
 		// Issuers
 		{"GET", "/api/v1/issuers"},
@@ -336,6 +335,60 @@ func TestRegisterESTHandlers_AllPaths(t *testing.T) {
 	}
 }
 // TestRegisterPKIHandlers_AllPaths verifies that RegisterPKIHandlers registers
 // the two RFC-compliant unauthenticated endpoints relocated in M-006:
 //
 //   - GET /.well-known/pki/crl/{issuer_id}    (RFC 5280 §5 DER CRL)
 //   - GET /.well-known/pki/ocsp/{issuer_id}/{serial}  (RFC 6960 §2.1 OCSP)
 //
 // Registration and middleware gating are complementary: this test proves the
 // router matches the path; the unauthenticated contract is enforced separately
 // by cmd/server/main.go's finalHandler routing /.well-known/pki/* through the
 // noAuthHandler.
 func TestRegisterPKIHandlers_AllPaths(t *testing.T) {
 	r := New()
 	// Zero-value CertificateHandler will panic on real calls; the only thing
 	// this test is verifying is that the route dispatches (i.e. the URL
 	// pattern is registered), so catch the downstream panic.
 	recoverMW := func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			defer func() {
 				if rv := recover(); rv != nil {
 					w.WriteHeader(http.StatusOK)
 				}
 			}()
 			next.ServeHTTP(w, r)
 		})
 	}
 	r.RegisterPKIHandlers(handler.CertificateHandler{})
 	testHandler := recoverMW(r)
 	routes := []struct {
 		method string
 		path   string
 	}{
 		{"GET", "/.well-known/pki/crl/iss-local"},
 		{"GET", "/.well-known/pki/ocsp/iss-local/01ABCDEF"},
 	}
 	for _, tc := range routes {
 		t.Run(tc.method+" "+tc.path, func(t *testing.T) {
 			req := httptest.NewRequest(tc.method, tc.path, nil)
 			w := httptest.NewRecorder()
 			testHandler.ServeHTTP(w, req)
 			if w.Code == http.StatusNotFound {
 				t.Errorf("PKI route %s %s returned 404 — route not registered", tc.method, tc.path)
 			}
 			if w.Code == http.StatusMethodNotAllowed {
 				t.Errorf("PKI route %s %s returned 405", tc.method, tc.path)
 			}
 		})
 	}
 }
 // TestGetMux_ReturnsUnderlyingMux tests that GetMux returns the underlying mux.
 func TestGetMux_ReturnsUnderlyingMux(t *testing.T) {
 	r := New()
@@ -5,6 +5,7 @@ import (
 	"log/slog"
 	"os"
 	"strconv"
 	"strings"
 	"time"
 )
@@ -721,6 +722,19 @@ type LogConfig struct {
 	Format string
 }
 // NamedAPIKey represents a single named API key with an optional admin flag.
 // Named keys allow real actor attribution in the audit trail (M-002) and provide
 // the admin-gate basis for privileged endpoints like bulk revocation (M-003).
 type NamedAPIKey struct {
 	// Name is the identifier for the key (alphanumeric, hyphens, underscores).
 	// This value is recorded as the actor on every audit event the key authenticates.
 	Name string
 	// Key is the raw API-key secret the client presents as `Authorization: Bearer <key>`.
 	Key string
 	// Admin controls whether the key has admin privileges (bulk revocation, etc.).
 	Admin bool
 }
 // AuthConfig contains authentication configuration.
 type AuthConfig struct {
 	// Type sets the authentication mechanism for the REST API.
@@ -730,12 +744,19 @@ type AuthConfig struct {
 	// Setting: CERTCTL_AUTH_TYPE environment variable. Default: "api-key".
 	Type string
-	// Secret is the authentication secret (API key hash, JWT signing key, etc.).
+	// Secret is the legacy authentication secret (comma-separated API keys).
-	// For "api-key": the base64-encoded API key to validate against.
+	// DEPRECATED in favor of NamedKeys — retained for backward compatibility.
-	// For "jwt": the secret used to verify JWT token signatures.
+	// When NamedKeys is empty and Secret is set, each comma-separated key is
-	// For "none": ignored.
+	// registered as a synthesized named key (legacy-key-0, legacy-key-1, ...)
-	// Setting: CERTCTL_AUTH_SECRET environment variable. Required for "api-key" and "jwt".
+	// with actor attribution defaulting to "legacy-key-<index>".
 	// Setting: CERTCTL_AUTH_SECRET environment variable.
 	Secret string
 	// NamedKeys is the parsed set of named API keys. Populated from
 	// CERTCTL_API_KEYS_NAMED via ParseNamedAPIKeys during Load(). When
 	// non-empty, this takes precedence over the legacy Secret field.
 	// Setting: CERTCTL_API_KEYS_NAMED="name1:key1,name2:key2:admin"
 	NamedKeys []NamedAPIKey
 }
 // RateLimitConfig contains rate limiting configuration.
@@ -794,6 +815,8 @@ func Load() (*Config, error) {
 		Auth: AuthConfig{
 			Type:   getEnv("CERTCTL_AUTH_TYPE", "api-key"),
 			Secret: getEnv("CERTCTL_AUTH_SECRET", ""),
 			// NamedKeys is populated from CERTCTL_API_KEYS_NAMED below so Load()
 			// can surface parse errors alongside other config errors.
 		},
 		RateLimit: RateLimitConfig{
 			Enabled:   getEnvBool("CERTCTL_RATE_LIMIT_ENABLED", true),
@@ -959,6 +982,14 @@ func Load() (*Config, error) {
 		},
 	}
 	// Parse CERTCTL_API_KEYS_NAMED for named key authentication (M-002).
 	// Parse errors surface here so invalid config fails fast at startup.
 	named, err := ParseNamedAPIKeys(getEnv("CERTCTL_API_KEYS_NAMED", ""))
 	if err != nil {
 		return nil, fmt.Errorf("parse CERTCTL_API_KEYS_NAMED: %w", err)
 	}
 	cfg.Auth.NamedKeys = named
 	if err := cfg.Validate(); err != nil {
 		return nil, err
 	}
@@ -1167,3 +1198,79 @@ func (c *Config) GetLogLevel() slog.Level {
 		return slog.LevelInfo
 	}
 }
 // ParseNamedAPIKeys parses the CERTCTL_API_KEYS_NAMED environment variable.
 // Format: "name1:key1,name2:key2:admin,name3:key3"
 // The ":admin" suffix is optional; if present, the key has admin privileges.
 // Returns a typed []NamedAPIKey so main.go can pass it directly to the
 // middleware layer without type assertion gymnastics.
 func ParseNamedAPIKeys(input string) ([]NamedAPIKey, error) {
 	if input == "" {
 		return nil, nil
 	}
 	parts := splitComma(input)
 	var keys []NamedAPIKey
 	seen := make(map[string]bool)
 	for _, part := range parts {
 		part = trimSpace(part)
 		if part == "" {
 			continue
 		}
 		// Split by colon: name:key or name:key:admin
 		fields := strings.Split(part, ":")
 		if len(fields) < 2 || len(fields) > 3 {
 			return nil, fmt.Errorf("invalid named key format: %s (expected name:key or name:key:admin)", part)
 		}
 		name := trimSpace(fields[0])
 		key := trimSpace(fields[1])
 		admin := false
 		if len(fields) == 3 {
 			adminStr := trimSpace(fields[2])
 			if adminStr == "admin" {
 				admin = true
 			} else {
 				return nil, fmt.Errorf("invalid admin flag: %s (expected 'admin')", adminStr)
 			}
 		}
 		// Validate name format: alphanumeric, hyphens, underscores
 		if !isValidKeyName(name) {
 			return nil, fmt.Errorf("invalid key name: %s (must be alphanumeric, hyphens, underscores)", name)
 		}
 		if seen[name] {
 			return nil, fmt.Errorf("duplicate key name: %s", name)
 		}
 		seen[name] = true
 		if key == "" {
 			return nil, fmt.Errorf("empty key for name: %s", name)
 		}
 		keys = append(keys, NamedAPIKey{
 			Name:  name,
 			Key:   key,
 			Admin: admin,
 		})
 	}
 	return keys, nil
 }
 // isValidKeyName checks if a key name is valid (alphanumeric, hyphens, underscores).
 func isValidKeyName(s string) bool {
 	if len(s) == 0 {
 		return false
 	}
 	for _, c := range s {
 		if !((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || c == '-' || c == '_') {
 			return false
 		}
 	}
 	return true
 }
@@ -517,12 +517,18 @@ func TestNotificationEndpoints(t *testing.T) {
 	})
 }
-// TestCRLEndpoint exercises the CRL listing endpoint (M15a).
+// TestCRLEndpoint exercises the RFC 5280 DER-encoded CRL endpoint served
 // unauthenticated at /.well-known/pki/crl/{issuer_id} (M-006 relocation from
 // the pre-M-006 JSON CRL at /api/v1/crl, which was removed entirely because
 // RFC 5280 §5 defines only the DER wire format).
 func TestCRLEndpoint(t *testing.T) {
 	server, _, _, _ := setupTestServer(t)
-	t.Run("GetCRL_JSON", func(t *testing.T) {
+	t.Run("GetDERCRL_Unauthenticated", func(t *testing.T) {
-		resp, err := http.Get(server.URL + "/api/v1/crl")
+		// Intentionally no Authorization header — relying parties can't present
 		// a certctl API key, so the PKI endpoints are exposed under the
 		// RFC 8615 `.well-known` namespace with auth bypassed.
 		resp, err := http.Get(server.URL + "/.well-known/pki/crl/iss-local")
 		if err != nil {
 			t.Fatalf("request failed: %v", err)
 		}
@@ -531,15 +537,17 @@ func TestCRLEndpoint(t *testing.T) {
 			bodyBytes, _ := io.ReadAll(resp.Body)
 			t.Fatalf("expected 200, got %d: %s", resp.StatusCode, string(bodyBytes))
 		}
-		var crl map[string]interface{}
+		if ct := resp.Header.Get("Content-Type"); ct != "application/pkix-crl" {
-		json.NewDecoder(resp.Body).Decode(&crl)
+			t.Errorf("expected Content-Type application/pkix-crl, got %s", ct)
 		if crl["version"] == nil {
 			t.Error("expected version field in CRL response")
 		}
-		if crl["entries"] == nil {
+		body, err := io.ReadAll(resp.Body)
-			t.Error("expected entries field in CRL response")
+		if err != nil {
 			t.Fatalf("read body failed: %v", err)
 		}
-		t.Logf("CRL response: version=%v, entries_count=%v", crl["version"], crl["total"])
+		if len(body) == 0 {
 			t.Error("expected non-empty DER CRL body")
 		}
 		t.Logf("DER CRL response: %d bytes", len(body))
 	})
 }
@@ -64,7 +64,8 @@ func TestCertificateLifecycle(t *testing.T) {
 	certificateService.SetTargetRepo(targetRepo)
 	renewalService := service.NewRenewalService(certRepo, jobRepo, renewalPolicyRepo, nil, auditService, notificationService, issuerRegistry, "server")
 	deploymentService := service.NewDeploymentService(jobRepo, targetRepo, agentRepo, certRepo, auditService, notificationService)
-	jobService := service.NewJobService(jobRepo, renewalService, deploymentService, logger)
+	ownerRepo := newMockOwnerRepository()
 	jobService := service.NewJobService(jobRepo, certRepo, ownerRepo, renewalService, deploymentService, logger)
 	agentService := service.NewAgentService(agentRepo, certRepo, jobRepo, targetRepo, auditService, issuerRegistry, renewalService)
 	// 32-byte AES-256 test key — C-2 remediation makes IssuerService fail closed
 	// without a configured CERTCTL_CONFIG_ENCRYPTION_KEY. Happy-path CRUD tests
@@ -862,6 +863,48 @@ func (m *mockTargetRepository) ListByCertificate(ctx context.Context, certID str
 	return m.List(ctx)
 }
 // mockOwnerRepository satisfies repository.OwnerRepository for the M-003
 // not-self approval wiring. Tests that don't care about owner lookup get an
 // empty map (Get returns errNotFound, which checkNotSelf permits).
 type mockOwnerRepository struct {
 	owners map[string]*domain.Owner
 }
 func newMockOwnerRepository() *mockOwnerRepository {
 	return &mockOwnerRepository{owners: make(map[string]*domain.Owner)}
 }
 func (m *mockOwnerRepository) List(ctx context.Context) ([]*domain.Owner, error) {
 	var out []*domain.Owner
 	for _, o := range m.owners {
 		out = append(out, o)
 	}
 	return out, nil
 }
 func (m *mockOwnerRepository) Get(ctx context.Context, id string) (*domain.Owner, error) {
 	o, ok := m.owners[id]
 	if !ok {
 		return nil, fmt.Errorf("owner not found")
 	}
 	return o, nil
 }
 func (m *mockOwnerRepository) Create(ctx context.Context, o *domain.Owner) error {
 	m.owners[o.ID] = o
 	return nil
 }
 func (m *mockOwnerRepository) Update(ctx context.Context, o *domain.Owner) error {
 	m.owners[o.ID] = o
 	return nil
 }
 func (m *mockOwnerRepository) Delete(ctx context.Context, id string) error {
 	delete(m.owners, id)
 	return nil
 }
 type mockNotificationRepository struct {
 	notifications []*domain.NotificationEvent
 }
@@ -56,7 +56,8 @@ func setupTestServer(t *testing.T) (*httptest.Server, *mockCertificateRepository
 	certificateService.SetCAOperationsSvc(caOperationsSvc)
 	renewalService := service.NewRenewalService(certRepo, jobRepo, renewalPolicyRepo, nil, auditService, notificationService, issuerRegistry, "server")
 	deploymentService := service.NewDeploymentService(jobRepo, targetRepo, agentRepo, certRepo, auditService, notificationService)
-	jobService := service.NewJobService(jobRepo, renewalService, deploymentService, logger)
+	ownerRepo := newMockOwnerRepository()
 	jobService := service.NewJobService(jobRepo, certRepo, ownerRepo, renewalService, deploymentService, logger)
 	agentService := service.NewAgentService(agentRepo, certRepo, jobRepo, targetRepo, auditService, issuerRegistry, renewalService)
 	// 32-byte AES-256 test key — C-2 remediation makes IssuerService fail closed
 	// without a configured CERTCTL_CONFIG_ENCRYPTION_KEY. Happy-path CRUD tests
@@ -112,6 +113,10 @@ func setupTestServer(t *testing.T) (*httptest.Server, *mockCertificateRepository
 		BulkRevocation:  handler.BulkRevocationHandler{},
 	})
 	r.RegisterESTHandlers(estHandler)
 	// M-006: CRL + OCSP live under /.well-known/pki/ (RFC 5280 + RFC 6960 + RFC 8615).
 	// The negative_test integration suite exercises the DER CRL at this path with
 	// no Authorization header to verify the relying-party contract.
 	r.RegisterPKIHandlers(certificateHandler)
 	server := httptest.NewServer(r)
 	t.Cleanup(func() { server.Close() })
@@ -789,8 +794,14 @@ func TestRevocationEndpoints(t *testing.T) {
 		}
 	})
-	t.Run("GetCRL_Success", func(t *testing.T) {
+	// M-006: the non-standard JSON CRL at GET /api/v1/crl was removed entirely.
-		resp, err := http.Get(server.URL + "/api/v1/crl")
+	// RFC 5280 §5 defines only the DER wire format, which is now served
 	// unauthenticated under /.well-known/pki/crl/{issuer_id} (RFC 8615) so
 	// relying parties can fetch revocation data without a certctl API key.
 	// We verify the contract by requesting with no Authorization header and
 	// asserting DER content-type + a non-empty body.
 	t.Run("GetDERCRL_Unauthenticated", func(t *testing.T) {
 		resp, err := http.Get(server.URL + "/.well-known/pki/crl/iss-local")
 		if err != nil {
 			t.Fatalf("request failed: %v", err)
 		}
@@ -801,17 +812,17 @@ func TestRevocationEndpoints(t *testing.T) {
 			t.Fatalf("expected 200, got %d: %s", resp.StatusCode, string(bodyBytes))
 		}
-		var crl map[string]interface{}
+		ct := resp.Header.Get("Content-Type")
-		json.NewDecoder(resp.Body).Decode(&crl)
+		if ct != "application/pkix-crl" {
-
+			t.Errorf("expected Content-Type application/pkix-crl, got %s", ct)
 		if crl["version"] != float64(1) {
 			t.Errorf("expected CRL version 1, got %v", crl["version"])
 		}
-		// Should have at least 1 entry from the revocation above
+		body, err := io.ReadAll(resp.Body)
-		total, _ := crl["total"].(float64)
+		if err != nil {
-		if total < 1 {
+			t.Fatalf("read body failed: %v", err)
-			t.Errorf("expected at least 1 CRL entry, got %v", total)
+		}
 		if len(body) == 0 {
 			t.Error("expected non-empty DER CRL body")
 		}
 	})
 }
@@ -203,7 +203,7 @@ func TestClient_GetRaw(t *testing.T) {
 	defer server.Close()
 	c := NewClient(server.URL, "test-key")
-	data, contentType, err := c.GetRaw("/api/v1/crl/iss-local")
+	data, contentType, err := c.GetRaw("/.well-known/pki/crl/iss-local")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -223,7 +223,7 @@ func TestClient_GetRaw_Error(t *testing.T) {
 	defer server.Close()
 	c := NewClient(server.URL, "test-key")
-	_, _, err := c.GetRaw("/api/v1/crl/nonexistent")
+	_, _, err := c.GetRaw("/.well-known/pki/crl/nonexistent")
 	if err == nil {
 		t.Fatal("expected error for 404 response")
 	}
@@ -217,24 +217,19 @@ func registerCertificateTools(s *gomcp.Server, c *Client) {
 }
 // ── CRL & OCSP ──────────────────────────────────────────────────────
 //
 // M-006 relocation: CRL and OCSP are served unauthenticated under the
 // RFC 8615 `.well-known/pki/*` namespace (RFC 5280 §5 for CRL, RFC 6960
 // §2.1 for OCSP) so relying parties can retrieve them without a certctl
 // API key. The non-standard JSON CRL tool (`certctl_get_crl`) has been
 // removed — RFC 5280 defines only the DER wire format.
 func registerCRLOCSPTools(s *gomcp.Server, c *Client) {
 	gomcp.AddTool(s, &gomcp.Tool{
 		Name:        "certctl_get_crl",
 		Description: "Get the Certificate Revocation List in JSON format. Lists all revoked certificate serial numbers with reasons and timestamps.",
 	}, func(ctx context.Context, req *gomcp.CallToolRequest, input EmptyInput) (*gomcp.CallToolResult, any, error) {
 		data, err := c.Get("/api/v1/crl", nil)
 		if err != nil {
 			return errorResult(err)
 		}
 		return textResult(data)
 	})
 	gomcp.AddTool(s, &gomcp.Tool{
 		Name:        "certctl_get_der_crl",
-		Description: "Get DER-encoded X.509 CRL for a specific issuer. Returns binary CRL data signed by the issuing CA.",
+		Description: "Get DER-encoded X.509 CRL for a specific issuer (RFC 5280). Served unauthenticated at /.well-known/pki/crl/{issuer_id}. Returns binary CRL data signed by the issuing CA.",
 	}, func(ctx context.Context, req *gomcp.CallToolRequest, input GetDERCRLInput) (*gomcp.CallToolResult, any, error) {
-		raw, contentType, err := c.GetRaw("/api/v1/crl/" + input.IssuerID)
+		raw, contentType, err := c.GetRaw("/.well-known/pki/crl/" + input.IssuerID)
 		if err != nil {
 			return errorResult(err)
 		}
@@ -247,9 +242,9 @@ func registerCRLOCSPTools(s *gomcp.Server, c *Client) {
 	gomcp.AddTool(s, &gomcp.Tool{
 		Name:        "certctl_ocsp_check",
-		Description: "Check OCSP status for a certificate by issuer ID and hex serial number. Returns good, revoked, or unknown.",
+		Description: "Check OCSP status for a certificate by issuer ID and hex serial number (RFC 6960). Served unauthenticated at /.well-known/pki/ocsp/{issuer_id}/{serial}. Returns good, revoked, or unknown.",
 	}, func(ctx context.Context, req *gomcp.CallToolRequest, input OCSPInput) (*gomcp.CallToolResult, any, error) {
-		raw, contentType, err := c.GetRaw("/api/v1/ocsp/" + input.IssuerID + "/" + input.Serial)
+		raw, contentType, err := c.GetRaw("/.well-known/pki/ocsp/" + input.IssuerID + "/" + input.Serial)
 		if err != nil {
 			return errorResult(err)
 		}
@@ -378,7 +378,7 @@ func TestToolEndToEnd_GetRawBinary(t *testing.T) {
 	defer server.Close()
 	client := NewClient(server.URL, "test-key")
-	data, ct, err := client.GetRaw("/api/v1/crl/iss-local")
+	data, ct, err := client.GetRaw("/.well-known/pki/crl/iss-local")
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -2,31 +2,52 @@ package service
 import (
 	"context"
 	"errors"
 	"fmt"
 	"log/slog"
 	"strings"
 	"github.com/shankar0123/certctl/internal/domain"
 	"github.com/shankar0123/certctl/internal/repository"
 )
 // ErrSelfApproval is returned by ApproveJob when the actor attempting to
 // approve a renewal job is the same person listed as the owner of the
 // underlying certificate. M-003 enforces separation of duties: the owner who
 // requested (or benefits from) the renewal must not be the same identity that
 // approves it. Handlers map this sentinel to HTTP 403 Forbidden.
 var ErrSelfApproval = errors.New("self-approval forbidden: actor is the owner of the certificate")
 // JobService manages job processing and status tracking.
 // It coordinates between the scheduler and various job-specific services.
 type JobService struct {
 	jobRepo           repository.JobRepository
 	certRepo          repository.CertificateRepository
 	ownerRepo         repository.OwnerRepository
 	renewalService    *RenewalService
 	deploymentService *DeploymentService
 	logger            *slog.Logger
 }
 // NewJobService creates a new job service.
 //
 // certRepo and ownerRepo are required for the M-003 not-self-approval check
 // in ApproveJob. Callers may pass nil for either to disable the check
 // (useful for tests that don't exercise the approval path); when nil, the
 // service logs a warning on the first approval attempt and permits the
 // transition. Production wiring must supply both.
 func NewJobService(
 	jobRepo repository.JobRepository,
 	certRepo repository.CertificateRepository,
 	ownerRepo repository.OwnerRepository,
 	renewalService *RenewalService,
 	deploymentService *DeploymentService,
 	logger *slog.Logger,
 ) *JobService {
 	return &JobService{
 		jobRepo:           jobRepo,
 		certRepo:          certRepo,
 		ownerRepo:         ownerRepo,
 		renewalService:    renewalService,
 		deploymentService: deploymentService,
 		logger:            logger,
@@ -264,7 +285,13 @@ func (s *JobService) GetJob(ctx context.Context, id string) (*domain.Job, error)
 // ApproveJob approves a renewal job that is awaiting approval.
 // Transitions the job from AwaitingApproval to Pending so the scheduler picks it up.
-func (s *JobService) ApproveJob(ctx context.Context, id string) error {
+//
 // actor is the named-key identity of the approver (from the auth middleware
 // via resolveActor). M-003: if actor matches the certificate owner's Name or
 // Email (case-insensitive), returns ErrSelfApproval to enforce separation of
 // duties. Callers must pass a non-empty actor; empty actor is treated as an
 // anonymous system caller and permitted (internal/system paths).
 func (s *JobService) ApproveJob(ctx context.Context, id, actor string) error {
 	job, err := s.jobRepo.Get(ctx, id)
 	if err != nil {
 		return fmt.Errorf("job not found: %w", err)
@@ -274,17 +301,29 @@ func (s *JobService) ApproveJob(ctx context.Context, id string) error {
 		return fmt.Errorf("cannot approve job with status %s (must be AwaitingApproval)", job.Status)
 	}
 	if err := s.checkNotSelf(ctx, job, actor); err != nil {
 		return err
 	}
 	if err := s.jobRepo.UpdateStatus(ctx, id, domain.JobStatusPending, ""); err != nil {
 		return fmt.Errorf("failed to approve job: %w", err)
 	}
-	s.logger.Info("renewal job approved", "job_id", id, "certificate_id", job.CertificateID)
+	s.logger.Info("renewal job approved",
 		"job_id", id,
 		"certificate_id", job.CertificateID,
 		"actor", actor)
 	return nil
 }
 // RejectJob rejects a renewal job that is awaiting approval.
 // Transitions the job to Cancelled with a rejection reason.
-func (s *JobService) RejectJob(ctx context.Context, id string, reason string) error {
+//
 // actor is the named-key identity of the rejector (from the auth middleware
 // via resolveActor). Rejection is NOT subject to the not-self check — an
 // owner is permitted to cancel their own pending renewal. actor is recorded
 // on the log line for audit attribution.
 func (s *JobService) RejectJob(ctx context.Context, id, reason, actor string) error {
 	job, err := s.jobRepo.Get(ctx, id)
 	if err != nil {
 		return fmt.Errorf("job not found: %w", err)
@@ -303,6 +342,67 @@ func (s *JobService) RejectJob(ctx context.Context, id string, reason string) er
 		return fmt.Errorf("failed to reject job: %w", err)
 	}
-	s.logger.Info("renewal job rejected", "job_id", id, "certificate_id", job.CertificateID, "reason", reason)
+	s.logger.Info("renewal job rejected",
 		"job_id", id,
 		"certificate_id", job.CertificateID,
 		"reason", reason,
 		"actor", actor)
 	return nil
 }
 // checkNotSelf enforces the M-003 separation-of-duties rule for renewal
 // approval: the actor approving a job may not be the owner of the underlying
 // certificate.
 //
 // Resolution rules:
 //   - Empty actor → permitted (internal/system caller; auth middleware already
 //     short-circuits anonymous users at the handler layer).
 //   - certRepo or ownerRepo nil → warn once, permit (test/bootstrap wiring).
 //   - Job has no certificate or certificate has no OwnerID → permitted (no
 //     owner to collide with).
 //   - Owner record not found → warn, permit (defensive: stale FK should not
 //     block operations).
 //   - Case-insensitive match against owner.Name OR owner.Email → returns
 //     ErrSelfApproval.
 func (s *JobService) checkNotSelf(ctx context.Context, job *domain.Job, actor string) error {
 	if actor == "" {
 		return nil
 	}
 	if s.certRepo == nil || s.ownerRepo == nil {
 		s.logger.Warn("not-self approval check skipped: cert/owner repo not wired",
 			"job_id", job.ID, "actor", actor)
 		return nil
 	}
 	if job.CertificateID == "" {
 		return nil
 	}
 	cert, err := s.certRepo.Get(ctx, job.CertificateID)
 	if err != nil {
 		s.logger.Warn("not-self approval check: certificate lookup failed",
 			"job_id", job.ID, "certificate_id", job.CertificateID, "error", err)
 		return nil
 	}
 	if cert == nil || cert.OwnerID == "" {
 		return nil
 	}
 	owner, err := s.ownerRepo.Get(ctx, cert.OwnerID)
 	if err != nil || owner == nil {
 		s.logger.Warn("not-self approval check: owner lookup failed",
 			"job_id", job.ID, "owner_id", cert.OwnerID, "error", err)
 		return nil
 	}
 	actorLower := strings.ToLower(actor)
 	if strings.ToLower(owner.Name) == actorLower || strings.ToLower(owner.Email) == actorLower {
 		s.logger.Warn("self-approval blocked",
 			"job_id", job.ID,
 			"certificate_id", job.CertificateID,
 			"owner_id", owner.ID,
 			"actor", actor)
 		return ErrSelfApproval
 	}
 	return nil
 }
@@ -2,6 +2,7 @@ package service
 import (
 	"context"
 	"errors"
 	"log/slog"
 	"os"
 	"testing"
@@ -12,12 +13,21 @@ import (
 // helper to build job service with proper constructor signatures
 func newTestJobService(jobRepo *mockJobRepo) *JobService {
 	svc, _, _ := newTestJobServiceWithRepos(jobRepo)
 	return svc
 }
 // newTestJobServiceWithRepos returns the service along with the cert+owner
 // repos so self-approval tests can seed owner linkage without rebuilding the
 // whole dependency graph.
 func newTestJobServiceWithRepos(jobRepo *mockJobRepo) (*JobService, *mockCertRepo, *mockOwnerRepo) {
 	logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelInfo}))
 	certRepo := &mockCertRepo{
 		Certs:    make(map[string]*domain.ManagedCertificate),
 		Versions: make(map[string][]*domain.CertificateVersion),
 	}
 	ownerRepo := newMockOwnerRepository()
 	renewalPolicyRepo := &mockRenewalPolicyRepo{
 		Policies: make(map[string]*domain.RenewalPolicy),
 	}
@@ -32,7 +42,7 @@ func newTestJobService(jobRepo *mockJobRepo) *JobService {
 	renewalService := NewRenewalService(certRepo, jobRepo, renewalPolicyRepo, nil, auditService, notifService, issuerRegistry, "server")
 	deploymentService := NewDeploymentService(jobRepo, targetRepo, agentRepo, certRepo, auditService, notifService)
-	return NewJobService(jobRepo, renewalService, deploymentService, logger)
+	return NewJobService(jobRepo, certRepo, ownerRepo, renewalService, deploymentService, logger), certRepo, ownerRepo
 }
 func TestProcessPendingJobs_Renewal(t *testing.T) {
@@ -249,3 +259,142 @@ func TestListJobs_FilterByStatus(t *testing.T) {
 		t.Errorf("expected total 1, got %d", total)
 	}
 }
 // --- M-003: not-self approval (separation of duties) ---
 //
 // These regression tests enforce that ApproveJob returns ErrSelfApproval when
 // the actor matches the certificate owner's Name or Email (case-insensitive).
 // Rejection is intentionally NOT gated — owners may cancel their own pending
 // renewals. Handlers map ErrSelfApproval to HTTP 403.
 // seedSelfApprovalFixtures populates the mock repos with a realistic
 // AwaitingApproval renewal job owned by "alice" and returns the service under
 // test. The cert points at owner "o-alice" so checkNotSelf has a full resolution
 // path.
 func seedSelfApprovalFixtures(t *testing.T) (*JobService, *mockJobRepo) {
 	t.Helper()
 	now := time.Now()
 	job := &domain.Job{
 		ID:            "job-self",
 		Type:          domain.JobTypeRenewal,
 		CertificateID: "cert-self",
 		Status:        domain.JobStatusAwaitingApproval,
 		CreatedAt:     now,
 		ScheduledAt:   now,
 	}
 	jobRepo := &mockJobRepo{
 		Jobs:          map[string]*domain.Job{job.ID: job},
 		StatusUpdates: make(map[string]domain.JobStatus),
 	}
 	svc, certRepo, ownerRepo := newTestJobServiceWithRepos(jobRepo)
 	certRepo.AddCert(&domain.ManagedCertificate{
 		ID:        "cert-self",
 		OwnerID:   "o-alice",
 		CreatedAt: now,
 		UpdatedAt: now,
 	})
 	ownerRepo.AddOwner(&domain.Owner{
 		ID:        "o-alice",
 		Name:      "alice",
 		Email:     "alice@example.com",
 		CreatedAt: now,
 		UpdatedAt: now,
 	})
 	return svc, jobRepo
 }
 func TestApproveJob_SelfApprovalForbidden_NameMatch(t *testing.T) {
 	ctx := context.Background()
 	svc, jobRepo := seedSelfApprovalFixtures(t)
 	err := svc.ApproveJob(ctx, "job-self", "alice")
 	if err == nil {
 		t.Fatal("expected ErrSelfApproval, got nil")
 	}
 	if !errors.Is(err, ErrSelfApproval) {
 		t.Fatalf("expected errors.Is(err, ErrSelfApproval), got %v", err)
 	}
 	if _, flipped := jobRepo.StatusUpdates["job-self"]; flipped {
 		t.Error("expected job status unchanged after self-approval block")
 	}
 }
 func TestApproveJob_SelfApprovalForbidden_EmailMatch(t *testing.T) {
 	ctx := context.Background()
 	svc, jobRepo := seedSelfApprovalFixtures(t)
 	err := svc.ApproveJob(ctx, "job-self", "alice@example.com")
 	if err == nil {
 		t.Fatal("expected ErrSelfApproval, got nil")
 	}
 	if !errors.Is(err, ErrSelfApproval) {
 		t.Fatalf("expected errors.Is(err, ErrSelfApproval), got %v", err)
 	}
 	if _, flipped := jobRepo.StatusUpdates["job-self"]; flipped {
 		t.Error("expected job status unchanged after self-approval block")
 	}
 }
 func TestApproveJob_SelfApprovalForbidden_CaseInsensitive(t *testing.T) {
 	ctx := context.Background()
 	svc, _ := seedSelfApprovalFixtures(t)
 	// Uppercase name should still collide — the check must be case-insensitive.
 	if err := svc.ApproveJob(ctx, "job-self", "ALICE"); !errors.Is(err, ErrSelfApproval) {
 		t.Fatalf("expected ErrSelfApproval for uppercase name match, got %v", err)
 	}
 	// Mixed-case email should also collide.
 	if err := svc.ApproveJob(ctx, "job-self", "Alice@Example.COM"); !errors.Is(err, ErrSelfApproval) {
 		t.Fatalf("expected ErrSelfApproval for mixed-case email match, got %v", err)
 	}
 }
 func TestApproveJob_DifferentActor_Permitted(t *testing.T) {
 	ctx := context.Background()
 	svc, jobRepo := seedSelfApprovalFixtures(t)
 	// A different named key must be allowed to approve.
 	if err := svc.ApproveJob(ctx, "job-self", "bob"); err != nil {
 		t.Fatalf("expected approval to succeed for non-owner actor, got %v", err)
 	}
 	if jobRepo.StatusUpdates["job-self"] != domain.JobStatusPending {
 		t.Errorf("expected status Pending after approval, got %s",
 			jobRepo.StatusUpdates["job-self"])
 	}
 }
 func TestApproveJob_EmptyActor_Permitted(t *testing.T) {
 	ctx := context.Background()
 	svc, jobRepo := seedSelfApprovalFixtures(t)
 	// Empty actor represents an internal/system caller. The handler layer
 	// enforces authenticated-only, so this branch exists only for defensive
 	// in-process paths (scheduler-driven auto-approval, tests, etc.).
 	if err := svc.ApproveJob(ctx, "job-self", ""); err != nil {
 		t.Fatalf("expected empty actor to be permitted, got %v", err)
 	}
 	if jobRepo.StatusUpdates["job-self"] != domain.JobStatusPending {
 		t.Errorf("expected status Pending after approval, got %s",
 			jobRepo.StatusUpdates["job-self"])
 	}
 }
 func TestRejectJob_SelfRejection_Permitted(t *testing.T) {
 	ctx := context.Background()
 	svc, jobRepo := seedSelfApprovalFixtures(t)
 	// Owner must be able to reject their own pending renewal — M-003 scopes the
 	// not-self rule to approval only.
 	if err := svc.RejectJob(ctx, "job-self", "no longer needed", "alice"); err != nil {
 		t.Fatalf("expected owner to reject own job, got %v", err)
 	}
 	if jobRepo.StatusUpdates["job-self"] != domain.JobStatusCancelled {
 		t.Errorf("expected status Cancelled after rejection, got %s",
 			jobRepo.StatusUpdates["job-self"])
 	}
 }
@@ -2,6 +2,7 @@ import { describe, it, expect, beforeEach, vi } from 'vitest';
 import {
  setApiKey,
  getApiKey,
  checkAuth,
  getCertificates,
  getCertificate,
  getCertificateVersions,
@@ -86,7 +87,6 @@ import {
  getTarget,
  getPrometheusMetrics,
  getCertificateDeployments,
  getCRL,
  getOCSPStatus,
  updateIssuer,
  updateTarget,
@@ -179,6 +179,46 @@ describe('API Client', () => {
    });
  });
  // ─── checkAuth (M-003: surfaces user + admin) ──────
  describe('checkAuth', () => {
    // Post-M-003 /auth/check returns {status, user, admin}. The admin flag drives
    // GUI gating of admin-only affordances (bulk revoke, etc.). Authoritative
    // enforcement lives server-side — this test only pins the contract the
    // AuthProvider depends on.
    it('returns {status, user, admin} shape and sends Bearer token', async () => {
      mockFetch.mockReturnValueOnce(
        mockJsonResponse({ status: 'authenticated', user: 'ops-admin', admin: true }),
      );
      const resp = await checkAuth('test-api-key');
      const [url, init] = mockFetch.mock.calls[0];
      expect(url).toBe('/api/v1/auth/check');
      expect(init.headers['Authorization']).toBe('Bearer test-api-key');
      expect(init.headers['Content-Type']).toBe('application/json');
      expect(resp.status).toBe('authenticated');
      expect(resp.user).toBe('ops-admin');
      expect(resp.admin).toBe(true);
    });
    it('returns admin=false for non-admin callers', async () => {
      mockFetch.mockReturnValueOnce(
        mockJsonResponse({ status: 'authenticated', user: 'alice', admin: false }),
      );
      const resp = await checkAuth('alice-key');
      expect(resp.user).toBe('alice');
      expect(resp.admin).toBe(false);
    });
    it('throws on invalid API key', async () => {
      mockFetch.mockReturnValueOnce(mockErrorResponse(401));
      await expect(checkAuth('bad-key')).rejects.toThrow('Invalid API key');
    });
  });
  // ─── Error handling ─────────────────────────────────
  describe('Error handling', () => {
@@ -1213,13 +1253,12 @@ describe('API Client', () => {
      expect(mockFetch.mock.calls[0][0]).toContain('/api/v1/certificates/mc-1/deployments');
    });
-    it('getCRL sends GET to /crl', async () => {
+    // M-006: JSON CRL endpoint (`GET /api/v1/crl`) removed entirely — RFC 5280
-      mockFetch.mockReturnValueOnce(mockJsonResponse({ entries: [], total: 0 }));
+    // defines only the DER wire format, which is now served unauthenticated at
-      await getCRL();
+    // `/.well-known/pki/crl/{issuer_id}` (fetched directly, no GUI wrapper).
-      expect(mockFetch.mock.calls[0][0]).toBe('/api/v1/crl');
+    // OCSP likewise relocated to `/.well-known/pki/ocsp/{issuer_id}/{serial}`
-    });
+    // per RFC 8615.
-
+    it('getOCSPStatus sends GET to /.well-known/pki/ocsp with issuer and serial', async () => {
    it('getOCSPStatus sends GET with issuer and serial', async () => {
      const buf = new ArrayBuffer(8);
      mockFetch.mockReturnValueOnce(
        Promise.resolve({
@@ -1229,7 +1268,7 @@ describe('API Client', () => {
        } as Response)
      );
      await getOCSPStatus('iss-local', 'ABC123');
-      expect(mockFetch.mock.calls[0][0]).toBe('/api/v1/ocsp/iss-local/ABC123');
+      expect(mockFetch.mock.calls[0][0]).toBe('/.well-known/pki/ocsp/iss-local/ABC123');
    });
    it('updateIssuer sends PUT with data', async () => {
@@ -51,12 +51,22 @@ export const getAuthInfo = () =>
  fetch(`${BASE}/auth/info`, { headers: { 'Content-Type': 'application/json' } })
    .then(r => r.json() as Promise<{ auth_type: string; required: boolean }>);
 // AuthCheckResponse mirrors the /auth/check handler payload. Post-M-003 it
 // surfaces `user` (named-key identity) and `admin` (named-key admin flag) so
 // the GUI can gate admin-only affordances. When CERTCTL_AUTH_TYPE=none the
 // backend returns {user: "", admin: false}.
 export interface AuthCheckResponse {
  status: string;
  user: string;
  admin: boolean;
 }
 export const checkAuth = (key: string) =>
  fetch(`${BASE}/auth/check`, {
    headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${key}` },
  }).then(r => {
    if (!r.ok) throw new Error('Invalid API key');
-    return r.json() as Promise<{ status: string }>;
+    return r.json() as Promise<AuthCheckResponse>;
  });
 // Certificates
@@ -152,14 +162,14 @@ export const getCertificateDeployments = (id: string, params: Record<string, str
  return fetchJSON<PaginatedResponse<Job>>(`${BASE}/certificates/${id}/deployments?${qs}`);
 };
-// CRL / OCSP
+// OCSP (RFC 6960) — served unauthenticated under /.well-known/pki/ per RFC 8615
-export const getCRL = () =>
+// (M-006 relocation). The legacy JSON CRL endpoint (`GET /api/v1/crl`) was
-  fetchJSON<{ version: number; entries: unknown[]; total: number; generated_at: string }>(`${BASE}/crl`);
+// removed entirely; relying parties fetch the DER-encoded CRL directly from
-
+// `/.well-known/pki/crl/{issuer_id}` (no GUI wrapper — binary download only).
 export const getOCSPStatus = (issuerId: string, serial: string) => {
-  const headers: Record<string, string> = {};
+  // No Authorization header — the OCSP responder is intentionally unauthenticated
-  if (apiKey) headers['Authorization'] = `Bearer ${apiKey}`;
+  // so relying parties without certctl API keys can check revocation status.
-  return fetch(`${BASE}/ocsp/${issuerId}/${serial}`, { headers })
+  return fetch(`/.well-known/pki/ocsp/${issuerId}/${serial}`)
    .then(r => {
      if (!r.ok) throw new Error(`OCSP request failed: ${r.status}`);
      return r.arrayBuffer();
@@ -7,6 +7,11 @@ interface AuthState {
  authRequired: boolean;
  authenticated: boolean;
  authType: string;
  // M-003: named-key identity + admin flag surfaced from /auth/check so admin-
  // only GUI affordances (e.g., bulk-revoke) can be hidden from non-admin
  // callers. These are UX hints — authorization remains enforced server-side.
  user: string;
  admin: boolean;
  login: (key: string) => Promise<void>;
  logout: () => void;
  error: string | null;
@@ -17,6 +22,8 @@ const AuthContext = createContext<AuthState>({
  authRequired: false,
  authenticated: false,
  authType: 'none',
  user: '',
  admin: false,
  login: async () => {},
  logout: () => {},
  error: null,
@@ -31,6 +38,8 @@ export default function AuthProvider({ children }: { children: ReactNode }) {
  const [authRequired, setAuthRequired] = useState(false);
  const [authenticated, setAuthenticated] = useState(false);
  const [authType, setAuthType] = useState('none');
  const [user, setUser] = useState('');
  const [admin, setAdmin] = useState(false);
  const [error, setError] = useState<string | null>(null);
  // Check if server requires auth on mount
@@ -40,12 +49,19 @@ export default function AuthProvider({ children }: { children: ReactNode }) {
        setAuthType(info.auth_type);
        setAuthRequired(info.required);
        if (!info.required) {
          // CERTCTL_AUTH_TYPE=none: the server treats every caller as
          // anonymous with admin=false. Mirror that locally so gated
          // affordances stay hidden.
          setAuthenticated(true);
          setUser('');
          setAdmin(false);
        }
      })
      .catch(() => {
        // If auth/info fails, assume no auth required (server may be old version)
        setAuthenticated(true);
        setUser('');
        setAdmin(false);
      })
      .finally(() => setLoading(false));
  }, []);
@@ -55,6 +71,8 @@ export default function AuthProvider({ children }: { children: ReactNode }) {
    const handler = () => {
      setAuthenticated(false);
      setApiKey(null);
      setUser('');
      setAdmin(false);
      setError('Session expired. Please re-enter your API key.');
    };
    window.addEventListener('certctl:auth-required', handler);
@@ -64,9 +82,13 @@ export default function AuthProvider({ children }: { children: ReactNode }) {
  const login = useCallback(async (key: string) => {
    setError(null);
    try {
-      await checkAuth(key);
+      // /auth/check returns {status, user, admin}. Capture user + admin so the
      // GUI can hide admin-only affordances (bulk revoke, etc.).
      const resp = await checkAuth(key);
      setApiKey(key);
      setAuthenticated(true);
      setUser(resp.user ?? '');
      setAdmin(Boolean(resp.admin));
    } catch {
      setError('Invalid API key');
      throw new Error('Invalid API key');
@@ -76,11 +98,13 @@ export default function AuthProvider({ children }: { children: ReactNode }) {
  const logout = useCallback(() => {
    setApiKey(null);
    setAuthenticated(false);
    setUser('');
    setAdmin(false);
    setError(null);
  }, []);
  return (
-    <AuthContext.Provider value={{ loading, authRequired, authenticated, authType, login, logout, error }}>
+    <AuthContext.Provider value={{ loading, authRequired, authenticated, authType, user, admin, login, logout, error }}>
      {children}
    </AuthContext.Provider>
  );
@@ -2,6 +2,7 @@ import { useState } from 'react';
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
 import { useNavigate } from 'react-router-dom';
 import { getCertificates, createCertificate, triggerRenewal, revokeCertificate, updateCertificate, getOwners, getTeams, getPolicies, getProfiles, getIssuers, bulkRevokeCertificates } from '../api/client';
 import { useAuth } from '../components/AuthProvider';
 import { REVOCATION_REASONS } from '../api/types';
 import PageHeader from '../components/PageHeader';
 import DataTable from '../components/DataTable';
@@ -366,6 +367,10 @@ function BulkReassignModal({ ids, onClose, onSuccess }: { ids: string[]; onClose
 export default function CertificatesPage() {
  const navigate = useNavigate();
  const queryClient = useQueryClient();
  // M-003: bulk revocation is admin-only. The backend rejects non-admin callers
  // with 403, but we also hide the button in the GUI to avoid a misleading
  // affordance. Authoritative gate remains server-side.
  const { admin } = useAuth();
  const [statusFilter, setStatusFilter] = useState('');
  const [envFilter, setEnvFilter] = useState('');
  const [issuerFilter, setIssuerFilter] = useState('');
@@ -467,10 +472,12 @@ export default function CertificatesPage() {
                ? `Renewing (${bulkRenewProgress.done}/${bulkRenewProgress.total})...`
                : 'Trigger Renewal'}
            </button>
-            <button onClick={() => setShowBulkRevoke(true)}
+            {admin && (
-              className="btn btn-ghost text-xs text-amber-400 hover:text-amber-300 border border-amber-600/50">
+              <button onClick={() => setShowBulkRevoke(true)}
-              Revoke
+                className="btn btn-ghost text-xs text-amber-400 hover:text-amber-300 border border-amber-600/50">
-            </button>
+                Revoke
              </button>
            )}
            <button onClick={() => setShowBulkReassign(true)}
              className="btn btn-ghost text-xs text-brand-400 hover:text-brand-300 border border-brand-600/50">
              Reassign Owner