gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-09 15:28:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: M15b — OCSP responder, DER CRL, short-lived exemption, revocation GUI

Browse Source 
Backend:
- Embedded OCSP responder: GET /api/v1/ocsp/{issuer_id}/{serial} returns
  signed OCSP responses (good/revoked/unknown) using CA key
- DER-encoded X.509 CRL: GET /api/v1/crl/{issuer_id} returns proper DER CRL
  signed by issuing CA with 24h validity window
- Short-lived cert exemption: certs with profile TTL < 1 hour skip CRL/OCSP
  (expiry is sufficient revocation for ephemeral workloads)
- Extended issuer connector interface with GenerateCRL and SignOCSPResponse
- Local CA implements full CRL/OCSP signing; ACME and step-ca return
  appropriate "use native endpoint" errors
- IssuerConnectorAdapter bridges new methods between layers

Frontend:
- Revoke button on certificate detail page with RFC 5280 reason modal
- Revocation banner with reason display and timestamp
- Revocation status indicators in lifecycle section
- "Revoked" filter option in certificates list
- API client: revokeCertificate() function and Certificate type extensions

Tests: ~31 new tests across connector, service, handler, and adapter layers
Docs: milestones renumbered (M13-M14, M16-M18), M15b marked complete

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
shankar0123
2026-03-22 14:39:10 -04:00
parent 12e6150219
commit 762c523d59
22 changed files with 1470 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/src/api/client.ts
+6
View File
@@ -88,6 +88,12 @@ export const triggerDeployment = (id: string, targetId: string) =>
body: JSON.stringify({ target_id: targetId }),
});
export const revokeCertificate = (id: string, reason: string) =>
fetchJSON<{ status: string }>(`${BASE}/certificates/${id}/revoke`, {
method: 'POST',
body: JSON.stringify({ reason }),
});
// Agents
export const getAgents = (params: Record<string, string> = {}) => {
const qs = new URLSearchParams({ page: '1', per_page: '50', ...params }).toString();
web/src/api/types.ts
+14
View File
@@ -9,17 +9,31 @@ export interface Certificate {
owner_id: string;
team_id: string;
renewal_policy_id: string;
certificate_profile_id: string;
serial_number: string;
fingerprint: string;
key_algorithm: string;
key_size: number;
issued_at: string;
expires_at: string;
revoked_at?: string;
revocation_reason?: string;
tags: Record<string, string>;
created_at: string;
updated_at: string;
}
export const REVOCATION_REASONS = [
{ value: 'unspecified', label: 'Unspecified' },
{ value: 'keyCompromise', label: 'Key Compromise' },
{ value: 'caCompromise', label: 'CA Compromise' },
{ value: 'affiliationChanged', label: 'Affiliation Changed' },
{ value: 'superseded', label: 'Superseded' },
{ value: 'cessationOfOperation', label: 'Cessation of Operation' },
{ value: 'certificateHold', label: 'Certificate Hold' },
{ value: 'privilegeWithdrawn', label: 'Privilege Withdrawn' },
] as const;
export interface CertificateVersion {
id: string;
certificate_id: string;
web/src/pages/CertificateDetailPage.tsx
+113 -5
View File
@@ -1,7 +1,8 @@
import { useState } from 'react';
import { useParams, useNavigate } from 'react-router-dom';
import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
import { getCertificate, getCertificateVersions, triggerRenewal, triggerDeployment, archiveCertificate, getTargets } from '../api/client';
import { getCertificate, getCertificateVersions, triggerRenewal, triggerDeployment, archiveCertificate, revokeCertificate, getTargets } from '../api/client';
import { REVOCATION_REASONS } from '../api/types';
import PageHeader from '../components/PageHeader';
import StatusBadge from '../components/StatusBadge';
import ErrorState from '../components/ErrorState';
@@ -22,6 +23,8 @@ export default function CertificateDetailPage() {
const queryClient = useQueryClient();
const [showDeploy, setShowDeploy] = useState(false);
const [deployTargetId, setDeployTargetId] = useState('');
const [showRevoke, setShowRevoke] = useState(false);
const [revokeReason, setRevokeReason] = useState('unspecified');
const { data: cert, isLoading, error, refetch } = useQuery({
queryKey: ['certificate', id],
@@ -66,6 +69,16 @@ export default function CertificateDetailPage() {
},
});
const revokeMutation = useMutation({
mutationFn: () => revokeCertificate(id!, revokeReason),
onSuccess: () => {
setShowRevoke(false);
setRevokeReason('unspecified');
queryClient.invalidateQueries({ queryKey: ['certificate', id] });
queryClient.invalidateQueries({ queryKey: ['certificates'] });
},
});
if (isLoading) {
return (
<>
@@ -85,6 +98,9 @@ export default function CertificateDetailPage() {
}
const days = daysUntil(cert.expires_at);
const isRevoked = cert.status === 'Revoked';
const isArchived = cert.status === 'Archived';
const canRevoke = !isRevoked && !isArchived;
return (
<>
@@ -98,19 +114,27 @@ export default function CertificateDetailPage() {
</button>
<button
onClick={() => setShowDeploy(true)}
disabled={cert.status === 'Archived'}
disabled={isArchived || isRevoked}
className="btn btn-ghost text-xs border border-slate-600 disabled:opacity-50"
>
Deploy
</button>
<button
onClick={() => renewMutation.mutate()}
disabled={renewMutation.isPending || cert.status === 'Archived' || cert.status === 'RenewalInProgress'}
disabled={renewMutation.isPending || isArchived || isRevoked || cert.status === 'RenewalInProgress'}
className="btn btn-primary text-xs disabled:opacity-50"
>
{renewMutation.isPending ? 'Renewing...' : 'Trigger Renewal'}
</button>
{cert.status !== 'Archived' && (
{canRevoke && (
<button
onClick={() => setShowRevoke(true)}
className="btn btn-ghost text-xs text-amber-400 hover:text-amber-300 border border-amber-600/50"
>
Revoke
</button>
)}
{!isArchived && (
<button
onClick={() => { if (confirm('Archive this certificate? This cannot be undone.')) archiveMutation.mutate(); }}
disabled={archiveMutation.isPending}
@@ -148,6 +172,36 @@ export default function CertificateDetailPage() {
Failed to archive: {archiveMutation.error instanceof Error ? archiveMutation.error.message : 'Unknown error'}
</div>
)}
{revokeMutation.isSuccess && (
<div className="bg-amber-500/10 border border-amber-500/20 text-amber-400 rounded-lg px-4 py-3 text-sm">
Certificate revoked successfully. It has been added to the CRL.
</div>
)}
{revokeMutation.isError && (
<div className="bg-red-500/10 border border-red-500/20 text-red-400 rounded-lg px-4 py-3 text-sm">
Failed to revoke: {revokeMutation.error instanceof Error ? revokeMutation.error.message : 'Unknown error'}
</div>
)}
{/* Revocation Banner */}
{isRevoked && (
<div className="bg-red-500/10 border border-red-500/30 rounded-lg px-4 py-3">
<div className="flex items-center gap-3">
<div className="w-8 h-8 rounded-full bg-red-500/20 flex items-center justify-center flex-shrink-0">
<svg className="w-4 h-4 text-red-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
<path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M18.364 18.364A9 9 0 005.636 5.636m12.728 12.728A9 9 0 015.636 5.636m12.728 12.728L5.636 5.636" />
</svg>
</div>
<div>
<div className="text-sm font-medium text-red-400">Certificate Revoked</div>
<div className="text-xs text-slate-400 mt-0.5">
Reason: {REVOCATION_REASONS.find(r => r.value === cert.revocation_reason)?.label || cert.revocation_reason || 'Unspecified'}
{cert.revoked_at && <> &middot; Revoked {formatDateTime(cert.revoked_at)}</>}
</div>
</div>
</div>
</div>
)}
<div className="grid grid-cols-1 lg:grid-cols-2 gap-6">
{/* Certificate Info */}
@@ -169,15 +223,28 @@ export default function CertificateDetailPage() {
<h3 className="text-sm font-semibold text-slate-300 mb-4">Lifecycle</h3>
<InfoRow label="Issued" value={formatDate(cert.issued_at)} />
<InfoRow label="Expires" value={
<span className={expiryColor(days)}>
<span className={isRevoked ? 'text-red-400 line-through' : expiryColor(days)}>
{formatDate(cert.expires_at)} ({days <= 0 ? 'expired' : `${days} days`})
</span>
} />
<InfoRow label="Environment" value={cert.environment || '—'} />
<InfoRow label="Issuer" value={cert.issuer_id} />
<InfoRow label="Profile" value={cert.certificate_profile_id || '—'} />
<InfoRow label="Renewal Policy" value={cert.renewal_policy_id || '—'} />
<InfoRow label="Owner" value={cert.owner_id} />
<InfoRow label="Team" value={cert.team_id} />
{isRevoked && (
<>
<InfoRow label="Revoked At" value={
<span className="text-red-400">{cert.revoked_at ? formatDateTime(cert.revoked_at) : '—'}</span>
} />
<InfoRow label="Revocation Reason" value={
<span className="text-red-400">
{REVOCATION_REASONS.find(r => r.value === cert.revocation_reason)?.label || cert.revocation_reason || '—'}
</span>
} />
</>
)}
<InfoRow label="Created" value={formatDateTime(cert.created_at)} />
<InfoRow label="Updated" value={formatDateTime(cert.updated_at)} />
</div>
@@ -220,6 +287,8 @@ export default function CertificateDetailPage() {
)}
</div>
</div>
{/* Deploy Modal */}
{showDeploy && (
<div className="fixed inset-0 bg-black/60 flex items-center justify-center z-50" onClick={() => setShowDeploy(false)}>
<div className="bg-slate-800 border border-slate-600 rounded-xl p-6 w-full max-w-md shadow-2xl" onClick={e => e.stopPropagation()}>
@@ -253,6 +322,45 @@ export default function CertificateDetailPage() {
</div>
</div>
)}
{/* Revoke Modal */}
{showRevoke && (
<div className="fixed inset-0 bg-black/60 flex items-center justify-center z-50" onClick={() => setShowRevoke(false)}>
<div className="bg-slate-800 border border-slate-600 rounded-xl p-6 w-full max-w-md shadow-2xl" onClick={e => e.stopPropagation()}>
<h2 className="text-lg font-semibold text-red-400 mb-2">Revoke Certificate</h2>
<p className="text-sm text-slate-400 mb-4">
This action cannot be undone. The certificate will be added to the CRL and marked as revoked.
</p>
{revokeMutation.isError && (
<div className="bg-red-500/10 border border-red-500/20 text-red-400 rounded-lg px-3 py-2 text-sm mb-3">
{revokeMutation.error instanceof Error ? revokeMutation.error.message : 'Unknown error'}
</div>
)}
<label className="text-xs text-slate-400 block mb-2">Revocation Reason (RFC 5280)</label>
<select
value={revokeReason}
onChange={e => setRevokeReason(e.target.value)}
className="w-full bg-slate-900 border border-slate-600 rounded-lg px-3 py-2 text-sm text-slate-200 mb-4"
>
{REVOCATION_REASONS.map(r => (
<option key={r.value} value={r.value}>{r.label}</option>
))}
</select>
<div className="flex justify-end gap-3">
<button onClick={() => { setShowRevoke(false); setRevokeReason('unspecified'); }} className="btn btn-ghost text-sm">
Cancel
</button>
<button
onClick={() => revokeMutation.mutate()}
disabled={revokeMutation.isPending}
className="btn text-sm bg-red-600 hover:bg-red-500 text-white disabled:opacity-50"
>
{revokeMutation.isPending ? 'Revoking...' : 'Revoke Certificate'}
</button>
</div>
</div>
</div>
)}
</>
);
}
web/src/pages/CertificatesPage.tsx
+1
View File
@@ -167,6 +167,7 @@ export default function CertificatesPage() {
<option value="Active">Active</option>
<option value="Expiring">Expiring</option>
<option value="Expired">Expired</option>
<option value="Revoked">Revoked</option>
<option value="RenewalInProgress">Renewal In Progress</option>
<option value="Archived">Archived</option>
</select>