Adding CRLIssuer information to crlDistributionPoints

[frank-park]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The current implementation of crlDistributionPoints in the step-ca template only allows an array of URIs. Although must assume that the CRL Issuer is the same as the CA, it is sometimes not true and may require adding a CRLIssuer block as per RFC 5280.

Add the ability to include the CRL Issuer within the crlDistributionPoints extension in the template.

Why is this needed?

Keeping up with RFC5280.

[tashian]

Hi @frank-park, thanks for adding an issue for this.

I've learned that CRLIssuer is not supported by Go's crypto/x509 package, which is the upstream X.509 library we use. So, we'd have to override that library to implement this. We don't have the capacity to do that right now, but we'll keep the issue open.

You may also wish to petition for this enhancement in the upstream library.

Meanwhile, the current workaround to get CRLIssuer in a step-ca templates is to provide the value as a base64-encoded string containing the asn.1 you need. See this docs section for details: https://smallstep.com/docs/step-ca/templates/#arbitrary-x509-extensions