I want to use the PKI to gernerate user certificates that should be used for 802.1X authentication.
User authorize some custom aplication via OIDC/JWT to generate certificates for @example.com within the vault PKI using some role with a corresponding policy path template.
Now I want to let users revoke their certifiates, but only theirs.
From what I understand there are two ways for revoking certificates either via the pki/revoke endpoint together with the certificates serial or by revoking a lease that is attached to the certificate.
Since I don’t see how I could restrict access to the pki/revoke endpoint using a ploicy to limit users only revoking their certificates it seems that I have to attach leases to te certificates.
But it seems that having leases requires me to periodically renew them which I can’t, as the user only interacts with the app when the generate a new certificate or want to revoke one.
I kinda feel that I’m trying to use vaut in some unintended way.
Can you please point me in the right direction.