Support crlDistributionPoints & ocspServers

[xunholy]

It's my understanding to use the CAS CRL I would need to configure cert-manager to support the ocsp server which is available in the native cert-manager configuration however not supported in this plugin issuer

native capability
https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CAIssuer

plugin
https://github.com/jetstack/google-cas-issuer/blob/38289b08eff47f94570e394755510dd4cacafd0b/api/v1beta1/googlecasissuer_types.go#L28

[jakexks]

Hi @xunholy

If you have enabled CRL in your CA Pool, issued certificates should already contain the CRL distribution endpoint which is managed by Google. It's not an extension that is included in certificate requests, it's the reponsibility of the CA (Google's CAS only supports CRL for enterprise tier CA pools).

Are you intending to run your own OCSP responder?

[sanjayanz]

Hi,
We would like to understand how validation of certificates can be done against the CRL (storage bucket) using cert-manager. There is a bespoke design using CloudRun (operating as OSCP) and storage buckets here - https://github.com/GoogleCloudPlatform/gcp-ca-service-ocsp, which addresses this. However, we were hoping cert-manager can handle the revocation validation, in addition to issuance and renewals.