CRL and OCSP

[mikansontap123]

Apologies if this has been answered before (searched discussions but didn't see much.)

Is the dev team able to comment on whether or not step ca will see fully functioning CRL and OCSP support?

I did come across this command reference, and although the description mentions creation and management of CRLs, that functionality does not appear to be there yet.

The emphasis on short-lived certificates with passive revocation is totally understandable and matches the current trends happening in the PKI space. My organization has implemented step ca for both SSH certificates and ACME certs using short validity periods, and it has worked fabulously.

There are some edge cases however -- for example, when running a VPN service that requires a client certificate, it would be great to be able to provide long lived certificates with active revocation support. Exposing a CA publicly to allow for retrieval of short lived certs that can be used to jump into our network is not in the cards :)

If you can't comment on it at this time, totally understand. Either way I'm a big fan of what Smallstep is doing and am following the progress of step ca with great interest.

[tashian]

Hi @mikansontap123 it looks like #731 was tagged for the v0.23.0 release, so if all goes well we should have CRL support in step-ca very soon!

[mikansontap123]

@tashian Thanks for your response, that's great to hear.

If I may ask a slightly related follow up question, I understand step fileserver is currently in an experimental state, but does the team foresee it becoming a valid option for hosting the CRL file in future versions? It would seem step fileserver would be a logical pairing with the new CRL functionality, especially in helping to propagate the CRL to 3rd party OCSP responders.