-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Postgres Backend for CFSSL
Nick Sullivan edited this page Oct 11, 2015
·
1 revision
It would be useful to have a permanent store for CFSSL/multirootca in the form of a postgres database. This database can also be used as a source of truth about the status of the issued certificates, including revocation status.
- Create a database schema for certificates
- Add issued certificates to the database
Some additional tools should be created for interacting with this database. Specifically:
- revoke: a tool that takes a certificate or serial number, and the revocation reason and marks the certificate in the database as revoked
- oscp: a tool that queries all unexpired certificates from the database and creates an OCSP response for each using the CFSSL OCSPSign API. The output is a file containing concatenated OCSP responses in a format that cfssl oscpserve can use.
- crl: a tool that queries all unexpired certificates from the database and creates a CRL using CFSSL's crl endpoint.