Certificate Manager - Admin revocation of OIDC provisioned user certificates

[doubledipped]

Hi Smallstep,

I have been evaluating Certificate Manager, primarily as a potential solution to issue/manage human user certificates for mTLS authentication with an application proxy. I really like what you have achieved and it could be a good fit for us, with the added potential to grow the dev-ops side in the future. The OIDC provisioner appears to give us the ability for self-service enrolment using our IdP for authorisation.

I can see from other discussions and mentions in the docs that active revocation is on the roadmap. The ability to revoke a certificate with a longer validity period, prior to its expiry and query the CRL distribution URI as part of our identity aware proxy access rule is going to be essential, so I look forward to that feature being available.

I was wondering though, whether there are plans to give provisioner admins or super admins the ability to revoke OIDC certs issued to other users? Currently I don't appear to be able to do that.

[tashian]

Hi @doubledipped, I'm glad you like the product!

We have active revocation now, in Certificate Manager. It's part of our new Advanced Authorities offering.

For help getting set up with it, check out support.smallstep.com, which is our Certificate Manager support site. You can make a ticket there, if you have questions. We'd love to learn more about your needs.

[doubledipped]

Thank you and apologies, I hadn't realised, that is great news! Thank you also for a great product