mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 16:41:36 +00:00
shankar0123
47e37d6f68
Production hardening II Phase 6 — close the operator-must-manually- configure-CDP gap that the EST hardening prompt's deferral list flagged. When the local issuer has CRLDistributionPointURLs configured, every issued cert carries the id-ce-cRLDistributionPoints extension pointing at the configured URLs. Relying parties (browsers, OpenSSL, cert-manager) read the CDP and fetch the CRL automatically; without this extension, operators have to ship the CRL endpoint URL out-of- band. NEW Config field internal/connector/issuer/local/local.go:: Config.CRLDistributionPointURLs []string. Empty (default) preserves pre-Phase-6 behavior — no CDP extension. Refusing to silently inject an empty CDP is frozen decision 0.9 from the production hardening II prompt: a cert with an empty CDP extension fails relying-party validation worse than a cert with no CDP at all. Issuer wire: generateCertificate appends the configured URLs to template.CRLDistributionPoints. crypto/x509 handles the ASN.1 encoding (RFC 5280 §4.2.1.13) — no manual marshaling needed. Operator config (cmd/server/main.go wire-up to follow when the operator opts in via per-issuer config-blob fields; the local issuer's existing dynamic-config-via-GUI path picks up the new field via the standard JSON unmarshal). Typical value: ["https://certctl.example.com:8443/.well-known/pki/crl/iss-local"] Pre-commit verification: go build ./... clean; go test -short -count=1 green for connector/issuer/local/.