PKI Tidy Revocation List optionally Tidy Revoked Certs that are Unexpired (#4916)

2026-05-28 04:10:44 -04:00 · 2018-07-13 09:32:32 -04:00 · 2018-07-13 09:32:32 -04:00 · 6559f5fe76
commit 6559f5fe76
parent bd9ba940ef
2 changed files with 14 additions and 1 deletions
--- a/builtin/logical/pki/path_tidy.go
+++ b/builtin/logical/pki/path_tidy.go
@ -31,6 +31,14 @@ the revocation list`,
 				Default: false,
 			},

+			"tidy_revoked_certs": &framework.FieldSchema{
+				Type: framework.TypeBool,
+				Description: `Set to true to expire all revoked
+certificates, even if their duration has not yet passed. This will cause these
+certificates to be removed from the CRL the next time the CRL is generated.`,
+				Default: false,
+			},
+
 			"safety_buffer": &framework.FieldSchema{
 				Type: framework.TypeDurationSecond,
 				Description: `The amount of extra time that must have passed
@ -54,6 +62,7 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
 	safetyBuffer := d.Get("safety_buffer").(int)
 	tidyCertStore := d.Get("tidy_cert_store").(bool)
 	tidyRevocationList := d.Get("tidy_revocation_list").(bool)
+	tidyRevokedCerts := d.Get("tidy_revoked_certs").(bool)

 	if safetyBuffer < 1 {
 		return logical.ErrorResponse("safety_buffer must be greater than zero"), nil
@ -163,7 +172,7 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
 						return errwrap.Wrapf(fmt.Sprintf("unable to parse stored revoked certificate with serial %q: {{err}}", serial), err)
 					}

-					if time.Now().After(revokedCert.NotAfter.Add(bufferDuration)) {
+					if tidyRevokedCerts || time.Now().After(revokedCert.NotAfter.Add(bufferDuration)) {
 						if err := req.Storage.Delete(ctx, "revoked/"+serial); err != nil {
 							return errwrap.Wrapf(fmt.Sprintf("error deleting serial %q from revoked list: {{err}}", serial), err)
 						}
--- a/website/source/api/secret/pki/index.html.md
+++ b/website/source/api/secret/pki/index.html.md
@ -1532,6 +1532,10 @@ expiration time.
 - `tidy_revocation_list` `(bool: false)` Specifies whether to tidy up the
  revocation list (CRL).

+- `tidy_revoked_certs` `(bool: false)` Set to true to expire all revoked
+  certificates, even if their duration has not yet passed. This will cause these
+  certificates to be removed from the CRL the next time the CRL is generated.
+
 - `safety_buffer` `(string: "")` Specifies  A duration (given as an integer
  number of seconds or a string; defaults to `72h`) used as a safety buffer to
  ensure certificates are not expunged prematurely; as an example, this can keep