Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-17467

mod_md should trigger the reissue of new pair key/certificate when OCSP reports a revoked status

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • rhel-9.5
    • None
    • mod_md
    • None
    • mod_md-2.4.26-1.el9
    • Low
    • rhel-sst-cs-stacks
    • ssg_core_services
    • 24
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None

      This new feature request is dependent of the implementation of the following that needs to be accomplished before:

      https://issues.redhat.com/browse/RHEL-17462

      The feature for mod_md that is lacking is that when OCSP reports a revoked status of a certificate, it should trigger a new reissue of a new pair key/certificate on the ACME client, so when mod_md OCSP client observes that a monitored certificate is revoked,
      it should attempt to request a new certificate for the managed domain.

      Additionally, mod_md could/should generate a new keypair, especially when the OCSP response specifies the keyCompromise revocation reason.

      This feature will enable hosts for automatically recover when revoked certificates are observed, that would be really useful for example when a CA revokes a certificate due to a compromise

      This is something that have occurred in the past with publicly trusted ACME CAs including Let's Encrypt, and is assumed the same kind of events will occur in the future Examples:

              luhliari@redhat.com Lubos Uhliarik
              rh-ee-jfont Josep Andreu Font
              Lubos Uhliarik Lubos Uhliarik
              Iveta Cesalova Iveta Cesalova
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: