system: restrict CRL use to one per CA #7015
Comments
AdSchellevis
added a commit
that referenced
this issue
Jan 4, 2024
…ion when one or more CRL's are found. for #7015
fichtner
pushed a commit
that referenced
this issue
Mar 12, 2024
…ion when one or more CRL's are found. for #7015
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe.
Currently multiple CRLs can be created for a CA, but that workflow is unpractical for guessing which CRL may belong to which service. Currently only OpenVPN and OPNWAF use this approach to CRL selection. IPsec needs CRLs too, but we would like to make this simpler.
Describe the solution you like
For now restrict the CRL creation amount per CA to a single CRL, but leave the already created CRLs in place. Maybe mark them as deprecated.
In a later step we could actually merge them into one single CRL. If a CRL is set for a certificate it should be used so IPsec doesn't need a switch but only backend glue to place the CRL. OpenVPN and OPNWAF will lose their ability to select a CRL but will use the one that is there.
Describe alternatives you considered
Leaving the multiple CRL situation, but that has other disadvantages and people are already asking for external CRL providers as well (#6838).
Additional context
N/A
The text was updated successfully, but these errors were encountered: