Add certificate revocation, deletion, and retrieval

Admins can now revoke or delete certificate records from the cert detail page in the web UI. Revoked certificates display a [REVOKED] badge and show revocation metadata (time and actor). Deletion redirects to the issuer page. The REST API gains three new authenticated endpoints that mirror the gRPC surface: GET /v1/ca/{mount}/cert/{serial} (auth required) POST /v1/ca/{mount}/cert/{serial}/revoke (admin only) DELETE /v1/ca/{mount}/cert/{serial} (admin only) The CA engine stores revocation state (revoked, revoked_at, revoked_by) directly in the existing CertRecord barrier entry. The proto CertRecord message is extended with the same three fields (field numbers 10–12). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 13:37:54 -07:00
parent 74e35ce63e
commit d574685b99
27 changed files with 839 additions and 91 deletions
--- a/internal/webserver/cert_detail_test.go
+++ b/internal/webserver/cert_detail_test.go
@@ -98,6 +98,14 @@ func (m *mockVault) ListCerts(ctx context.Context, token, mount string) ([]CertS
 	return nil, nil
 }

+func (m *mockVault) RevokeCert(ctx context.Context, token, mount, serial string) error {
+	return nil
+}
+
+func (m *mockVault) DeleteCert(ctx context.Context, token, mount, serial string) error {
+	return nil
+}
+
 func (m *mockVault) Close() error { return nil }

 // newTestWebServer builds a WebServer wired to the given mock, suitable for unit tests.