Skip to content

[FEATURE] Add CRL/OCSP revocation checking for mutual_tls authentication #6940

Description

@divakarsingh

Is your feature request related to a problem? Please describe.

The mutual_tls authentication plugin (#6916) currently does not support certificate revocation
checking. If a client certificate is compromised, there is no way to revoke it without replacing
the entire trust CA or restarting Data Prepper with a new trust store.

Describe the solution you'd like

Add optional revocation checking support to the mutual_tls authentication config:

  • crl_file (optional): Path to a CRL (Certificate Revocation List) PEM file. Checked during
    TLS handshake. Clients presenting a revoked certificate are rejected.
  • ocsp_enabled (optional, boolean): Enable OCSP (Online Certificate Status Protocol) checking
    against the OCSP responder URL in the client certificate's AIA extension.

Example configuration:

authentication:
  mutual_tls:
    ssl_trust_certificate_file: "/certs/ca.crt"
    crl_file: "/certs/revoked.crl"
    ocsp_enabled: true

Describe alternatives you've considered

  • Rotating the CA certificate to invalidate all client certs (disruptive)
  • Short-lived client certificates with frequent rotation (shifts complexity to cert issuer)

Additional context

This was identified during review of #6916. The current implementation authenticates clients
based on CA trust alone. For production deployments, revocation support is needed to handle
compromised client certificates without full CA rotation.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Unplanned

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions