When the RA mode with StepCAS is used, let the CA decide which lifetime
the RA should get instead of requiring always 24h.
This commit also fixes linter warnings.
Related to #1094
It supports renewing X.509 certificates when an RA is configured with stepcas.
This will only work when the renewal uses a token, and it won't work with mTLS.
The audience cannot be properly verified when an RA is used, to avoid this we
will get from the database if an RA was used to issue the initial certificate
and we will accept the renew token.
Fixes#1021 for stepcas
This commit adds some changes to PR #731, some of them are:
- Add distribution point to the CRL
- Properly stop the goroutine that generates the CRLs
- CRL config validation
- Remove expired certificates from the CRL
- Require enable set to true to generate a CRL
This last point is the principal change in behaviour from the previous
implementation. The CRL will not be generated if it's not enabled, and
if it is enabled it will always be regenerated at some point, not only
if there is a revocation.
To be able to extend the AuthDB with methods that also extend the
provisioner we need to either create a new method or to split the
interface. This change splits the interface so we can have a cleaner
implementation.
* Only shutdown the database once.
* Be careful when reloading the CA. Depending on whether the DB has
already been shutdown, and error may be unrecoverable.
Mariano Cano
Max
Raal Goff
Herman Slatman
Mariano Cano