I’m trying to permanently delete expired and/or revoked certificates from vault but can’t succeed.
I config the tidy with the
vault write pki_int/tidy tidy_cert_store=true tidy_revoked_certs=true safety_buffer=“1h” command,
but after 1 hour, when I still list all the certificates, the revoke certificates still appear.
and When I call the following command as GET with the api call, it gives an “unsupported path” error.
https://Vault_ADDR:PORT/v1/pki/tidy-status
so in summary, is there any way to delete a revoked certificate unless it expires from the certificate list under pki_int in versions after vault 1.10.0?
You don’t mention why you’re trying to do this, but based on my own experience, I can guess that perhaps someone has issued a crazy amount of certificates and drastically increased the size of your Vault data store, and you’re trying to reduce it?
The only option available in Vault today, would be to enable the sys/raw endpoint, and perform manual surgery on the internal data store of the PKI secrets engine. You could try this if you really feel you need to, but I have not tested it in this use case, and cannot vouch for its safety.
If you do, be sure to write your ACL policies so you don’t accidentally enable reading the CA’s private key out of Vault via the sys/raw API!
The underlying problem is that if a certificate is just “deleted” rather than being included in the CRL then the cert is still actually valid.
Once a certificate has been issued the issuing system no longer has any direct control over that certificate - the issuer has just signed it with a trust statement saying that it will be valid as trusted between two dates. Without CRLs there is then no way to revoke that validity.
The CRL mechanism was created to try to fill that hole. If a certificate is listed in the CRL, and the user checks the CRL list (not all software may be configured to do so, or firewalls might prevent access) even though the certificate itself is still shown as being valid it will be seen as invalid.
If it is 100% certain that all references to a certificate have been destroyed (i.e. the key/cert/pem files have been removed with no copies or backups remaining) then a CRL entry isn’t actually needed - there is no way for the cert to be presented as all copies are gone.
However the more normal situation is that it can’t be assumed to be the case. Maybe there was a security exploit, so the certificate could have been copied elsewhere, or the certificate is being revoked because it was issued in error or against policy (with no knowledge of where the cert files exist). In this case an entry in the CRL is vital.
Once the certificate reaches its natural expiry the CRL entry can be removed as it is no longer needed.
In general with the usage of Vault you’d expect certificate validity periods to be fairly short. It is good practice to have short lived credentials which are then automatically rotated instead of using long lived ones - this is true for all the secrets that Vault can manage, be it IAM users, database credentials or PKI. If that is followed the overhead for keeping revoked certificates around (maybe for a few weeks/months at most) in the CRL should be minimal.