Is your feature request related to a problem? Please describe.
The mutual_tls authentication plugin (#6916) currently does not support certificate revocation
checking. If a client certificate is compromised, there is no way to revoke it without replacing
the entire trust CA or restarting Data Prepper with a new trust store.
Describe the solution you'd like
Add optional revocation checking support to the mutual_tls authentication config:
crl_file (optional): Path to a CRL (Certificate Revocation List) PEM file. Checked during
TLS handshake. Clients presenting a revoked certificate are rejected.
ocsp_enabled (optional, boolean): Enable OCSP (Online Certificate Status Protocol) checking
against the OCSP responder URL in the client certificate's AIA extension.
Example configuration:
authentication:
mutual_tls:
ssl_trust_certificate_file: "/certs/ca.crt"
crl_file: "/certs/revoked.crl"
ocsp_enabled: true
Describe alternatives you've considered
- Rotating the CA certificate to invalidate all client certs (disruptive)
- Short-lived client certificates with frequent rotation (shifts complexity to cert issuer)
Additional context
This was identified during review of #6916. The current implementation authenticates clients
based on CA trust alone. For production deployments, revocation support is needed to handle
compromised client certificates without full CA rotation.
Is your feature request related to a problem? Please describe.
The
mutual_tlsauthentication plugin (#6916) currently does not support certificate revocationchecking. If a client certificate is compromised, there is no way to revoke it without replacing
the entire trust CA or restarting Data Prepper with a new trust store.
Describe the solution you'd like
Add optional revocation checking support to the
mutual_tlsauthentication config:crl_file(optional): Path to a CRL (Certificate Revocation List) PEM file. Checked duringTLS handshake. Clients presenting a revoked certificate are rejected.
ocsp_enabled(optional, boolean): Enable OCSP (Online Certificate Status Protocol) checkingagainst the OCSP responder URL in the client certificate's AIA extension.
Example configuration:
Describe alternatives you've considered
Additional context
This was identified during review of #6916. The current implementation authenticates clients
based on CA trust alone. For production deployments, revocation support is needed to handle
compromised client certificates without full CA rotation.