docs: CRL/OCSP user guide + architecture cross-reference — Phase 6

Audit of cowork/crl-ocsp-responder-prompt.md against repo HEAD found two prompt deliverables still missing after the Phase 5 + Phase 6 code landed: the docs/crl-ocsp.md operator+relying-party guide (Phase 6.2) and the docs/architecture.md cross-reference. This commit closes both. docs/crl-ocsp.md (329 lines) covers: * Conceptual overview — why both CRL and OCSP, why a separate responder cert (RFC 6960 §2.6 / §4.2.2.2.1) keeps the CA key cold * Endpoints — GET CRL, GET + POST OCSP, admin observability endpoint (M-008 admin-gated) with full request/response shape examples * Configuration — every CERTCTL_CRL_* / CERTCTL_OCSP_RESPONDER_* env var with default + meaning + 'MUST set in prod' callout for OCSP_RESPONDER_KEY_DIR * OCSP responder cert lifecycle — first-request bootstrap, disk self-healing when keydir is pruned out from under the DB row, rotation grace, ExtraExtensions wiring for id-pkix-ocsp-nocheck * Consumer integration recipes — cert-manager (AIA/CDP automatic), Firefox (about:preferences quirk), OpenSSL (ocsp + s_client -status), Intune (CRL pull cadence) * V3-Pro deferred (delta CRLs, OCSP rate-limiting, OCSP stapling) * Troubleshooting (404 on issuer that doesn't support CRL, hex serial format, admin-gated 403, scheduler not running) docs/architecture.md: extended the existing 'Certificate revocation' paragraph to explicitly call out the new pipeline (crl_cache table, OCSP responder cert per RFC 6960 §2.6, POST + GET OCSP endpoints, auto-rotation grace) and added the 'See docs/crl-ocsp.md for the operator + relying-party guide' link so future readers can find the deep dive. Closes the prompt's Phase 6.2 + 6.3 exit criteria. Combined with the Phase 5 GUI panel (0594631) + Phase 6 e2e helpers (fc3c7ad) + Phase 5 admin endpoint (a4df1f8), this completes V2 for the bundle. V3-Pro polish (delta CRLs, OCSP rate-limiting, OCSP stapling) remains explicitly out of scope per the prompt's 'What this prompt is NOT' section.
2026-06-11 20:58:52 +00:00 · 2026-04-29 03:09:13 +00:00
parent fc3c7ad1e3
commit b4334edda1
2 changed files with 330 additions and 1 deletions
@@ -981,7 +981,7 @@ Jobs support additional action endpoints: `POST /api/v1/jobs/{id}/cancel`, `POST
 - **Additional filters**: `?agent_id=`, `?profile_id=` (in addition to existing status, environment, owner_id, team_id, issuer_id).
 - **Deployments**: `GET /api/v1/certificates/{id}/deployments` returns deployment targets for a certificate.

-Certificate revocation: `POST /api/v1/certificates/{id}/revoke` with optional `{"reason": "keyCompromise"}`. Supports RFC 5280 reason codes (unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn). Returns the updated certificate status. Best-effort issuer notification — the revocation succeeds even if the issuer connector is unavailable. The DER-encoded X.509 CRL signed by the issuing CA is served unauthenticated at `GET /.well-known/pki/crl/{issuer_id}` (RFC 5280 §5 + RFC 8615, `Content-Type: application/pkix-crl`). The embedded OCSP responder serves signed responses unauthenticated at `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` (RFC 6960, `Content-Type: application/ocsp-response`). Both endpoints are accessible to relying parties with no certctl API credentials, as RFC-compliant PKI consumers expect. Short-lived certificates (profile TTL < 1 hour) are exempt from CRL/OCSP — expiry is sufficient revocation.
+Certificate revocation: `POST /api/v1/certificates/{id}/revoke` with optional `{"reason": "keyCompromise"}`. Supports RFC 5280 reason codes (unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn). Returns the updated certificate status. Best-effort issuer notification — the revocation succeeds even if the issuer connector is unavailable. The DER-encoded X.509 CRL signed by the issuing CA is served unauthenticated at `GET /.well-known/pki/crl/{issuer_id}` (RFC 5280 §5 + RFC 8615, `Content-Type: application/pkix-crl`); the CRL is pre-generated by the scheduler-driven `crlGenerationLoop` and persisted in the `crl_cache` table (migration 000019) so HTTP fetches do not rebuild per request. The embedded OCSP responder serves signed responses unauthenticated at both `GET /.well-known/pki/ocsp/{issuer_id}/{serial}` and `POST /.well-known/pki/ocsp/{issuer_id}` (RFC 6960 §A.1.1, `Content-Type: application/ocsp-response`); responses are signed by a per-issuer dedicated OCSP responder cert (RFC 6960 §2.6, migration 000020) carrying the `id-pkix-ocsp-nocheck` extension (RFC 6960 §4.2.2.2.1) — the CA private key is never used directly for OCSP signing, which keeps it cold for the future PKCS#11/HSM driver path. The responder cert auto-rotates within `CERTCTL_OCSP_RESPONDER_ROTATION_GRACE` (default 7d) of expiry. Both endpoints are accessible to relying parties with no certctl API credentials, as RFC-compliant PKI consumers expect. Short-lived certificates (profile TTL < 1 hour) are exempt from CRL/OCSP — expiry is sufficient revocation. See [`crl-ocsp.md`](crl-ocsp.md) for the operator + relying-party guide (endpoint URLs, configuration knobs, responder cert lifecycle, cert-manager / Firefox / OpenSSL / Intune integration recipes, troubleshooting).

 Certificate export (M27): `GET /api/v1/certificates/{id}/export/pem` returns PEM-encoded certificate and chain, and `POST /api/v1/certificates/{id}/export/pkcs12` returns a PKCS#12 bundle (binary). Private keys are never exported — they remain on agents. All exports are audited with actor, timestamp, and format.