Hello!
- Vote on this issue by adding a 👍 reaction
- If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Issue details
Currently the provisioner interface and code (see ca/provisioner.go) provide public methods to generate tokens for certificate signing and SSH, but there is no public/exposed method for generating a JWT for the certificate revoke endpoint (audience /1.0/revoke). An ergonomic, supported method for clients to generate appropriate revoke tokens, in alignment with the token-based Revoke() method in ca/client.go`, is missing.
While advanced clients with a JWK provisioner's key material can manually implement correct JWT token generation for the revoke audience, offering this as a public provisioner method (e.g., Provisioner.RevokeToken(serial string)) will standardize usage, prevent errors, and encourage best practices (such as setting sub to the serial and using the correct audience claim). It will also provide a similar level of ergonomics as the existing signing token flow.
Related code for reference:
Why is this needed?
Token-based certificate revocation is a core feature for many client-side and automated workflows. Simplifying and standardizing revoke token creation will remove ambiguity, reduce implementation errors, and lower the barrier for external users and automation to leverage robust revocation without custom JWT logic. This brings client-side revocation support to parity with certificate issuance and helps future-proof management workflows.
Hello!
Issue details
Currently the provisioner interface and code (see
ca/provisioner.go) provide public methods to generate tokens for certificate signing and SSH, but there is no public/exposed method for generating a JWT for the certificate revoke endpoint (audience/1.0/revoke). An ergonomic, supported method for clients to generate appropriate revoke tokens, in alignment with the token-basedRevoke()method in ca/client.go`, is missing.While advanced clients with a JWK provisioner's key material can manually implement correct JWT token generation for the revoke audience, offering this as a public provisioner method (e.g.,
Provisioner.RevokeToken(serial string)) will standardize usage, prevent errors, and encourage best practices (such as settingsubto the serial and using the correct audience claim). It will also provide a similar level of ergonomics as the existing signing token flow.Related code for reference:
Why is this needed?
Token-based certificate revocation is a core feature for many client-side and automated workflows. Simplifying and standardizing revoke token creation will remove ambiguity, reduce implementation errors, and lower the barrier for external users and automation to leverage robust revocation without custom JWT logic. This brings client-side revocation support to parity with certificate issuance and helps future-proof management workflows.