Kyle Isom
d574685b99
Admins can now revoke or delete certificate records from the cert detail
page in the web UI. Revoked certificates display a [REVOKED] badge and
show revocation metadata (time and actor). Deletion redirects to the
issuer page.
The REST API gains three new authenticated endpoints that mirror the
gRPC surface:
GET /v1/ca/{mount}/cert/{serial} (auth required)
POST /v1/ca/{mount}/cert/{serial}/revoke (admin only)
DELETE /v1/ca/{mount}/cert/{serial} (admin only)
The CA engine stores revocation state (revoked, revoked_at, revoked_by)
directly in the existing CertRecord barrier entry. The proto CertRecord
message is extended with the same three fields (field numbers 10–12).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
954 B
[2026-03-15 11:53] - Updated by Junie { "TYPE": "correction", "CATEGORY": "gRPC config", "EXPECTATION": "Use only the v2 gRPC server configuration and remove v1 config paths/fields.", "NEW INSTRUCTION": "WHEN editing gRPC server configuration THEN remove v1 config and use only v2 fields" }
[2026-03-15 13:02] - Updated by Junie { "TYPE": "correction", "CATEGORY": "gRPC config", "EXPECTATION": "Use only the v2 gRPC server configuration and remove v1 config paths/fields.", "NEW INSTRUCTION": "WHEN editing gRPC server configuration THEN remove v1 config and use only v2 fields" }
[2026-03-15 13:34] - Updated by Junie { "TYPE": "negative", "CATEGORY": "tarball download", "EXPECTATION": "The tarball download should succeed, or clearly show an error in the browser when it fails.", "NEW INSTRUCTION": "WHEN implementing download endpoints THEN return non-200 on failure with an explanatory message" }