Let users revoke their own certificates

I want to use the PKI to gernerate user certificates that should be used for 802.1X authentication.

User authorize some custom aplication via OIDC/JWT to generate certificates for @example.com within the vault PKI using some role with a corresponding policy path template.

Now I want to let users revoke their certifiates, but only theirs.
From what I understand there are two ways for revoking certificates either via the pki/revoke endpoint together with the certificates serial or by revoking a lease that is attached to the certificate.

Since I don’t see how I could restrict access to the pki/revoke endpoint using a ploicy to limit users only revoking their certificates it seems that I have to attach leases to te certificates.

But it seems that having leases requires me to periodically renew them which I can’t, as the user only interacts with the app when the generate a new certificate or want to revoke one.

I kinda feel that I’m trying to use vaut in some unintended way.
Can you please point me in the right direction.

I can’t think of a way to do this, there is no way of identifying a cert creator or owner without additional metadata at create time.

One possible avenue in the future would be to tag the create with the token’s entity id and then allow either revoke-self type pathing or something similar with the consul templating to identify the entity owner in the path but again that’s something that would have to be implemented in the code.

1 Like

Thanks then I’ll implement such policies outside of vault. I need to maintain a databse of the issued certificates anyways.

Yeah it would be simple to use an external portal to generate and track such things and just use Vault as the secure storage. You can even use the KV engine as your simple data store for the tracking. With 1.9 you can PATCH a secret so you don’t even have to read and write the whole thing anymore.