Details
-
Feature Request
-
Resolution: Done
-
Blocker
-
4.13
-
None
-
0
-
0%
Description
1. Proposed title of this feature request
Allow configuring CRL when ingress MTLS is enabled
2. What is the nature and description of the request?
The current documentationdescribes that: `If your CA bundle references a CRL distribution point, you must have also included the end-entity or leaf certificate to the client CA bundle. This certificate must have included an HTTP URI under CRL Distribution Points`
With the current configuration, a leaf certificate must be added in order to download the CRL.
With the following RFE we would like to request that the CRLs to be used can be configured within the same mtls configuration that is done in the IngressController.
3. Why does the customer need this?
Adding leaf certificates is not ideal for the following reasons:
- Adds additional manual process to replace them when they expire (and leaf certificates usually have a much shorter lifetime that intermediates and roots). Debugging the sudden rejection of client certificates will be tricky for a non-PKI specialist.
- If the leaf certificate doesn't have the correct flags set, it could be used to issue certificates that mTLS would trust
- HAproxy presents the leaf certificates as accepted DNs to the clients - this seems to be fine, but has the potential to confuse some clients
4. List any affected packages or components.
OpenShift ingress
Attachments
Issue Links
- duplicates
-
-
- Accepted
-