Update docs for CRL

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -2,7 +2,7 @@ import { ForbiddenError } from "@casl/ability";
 import * as x509 from "@peculiar/x509";
 
 import { TCertificateAuthorityCrlDALFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-dal";
-import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+// import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
 import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/ee/services/permission/project-permission";
 import { BadRequestError, NotFoundError } from "@app/lib/errors";
@@ -19,7 +19,7 @@ type TCertificateAuthorityCrlServiceFactoryDep = {
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
   kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
-  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  // licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
 
 export type TCertificateAuthorityCrlServiceFactory = ReturnType<typeof certificateAuthorityCrlServiceFactory>;
@@ -29,8 +29,7 @@ export const certificateAuthorityCrlServiceFactory = ({
   certificateAuthorityCrlDAL,
   projectDAL,
   kmsService,
-  permissionService,
+  permissionService // licenseService
-  licenseService
 }: TCertificateAuthorityCrlServiceFactoryDep) => {
   /**
    * Return CRL with id [crlId]
@@ -85,12 +84,12 @@ export const certificateAuthorityCrlServiceFactory = ({
       ProjectPermissionSub.CertificateAuthorities
     );
 
-    const plan = await licenseService.getPlan(actorOrgId);
+    // const plan = await licenseService.getPlan(actorOrgId);
-    if (!plan.caCrl)
+    // if (!plan.caCrl)
-      throw new BadRequestError({
+    //   throw new BadRequestError({
-        message:
+    //     message:
-          "Failed to get CA certificate revocation lists (CRLs) due to plan restriction. Upgrade plan to get the CA CRL."
+    //       "Failed to get CA certificate revocation lists (CRLs) due to plan restriction. Upgrade plan to get the CA CRL."
-      });
+    //   });
 
     const caCrls = await certificateAuthorityCrlDAL.find({ caId: ca.id }, { sort: [["createdAt", "desc"]] });
 

backend/src/server/routes/index.ts

@@ -646,8 +646,8 @@ export const registerRoutes = async (
     certificateAuthorityCrlDAL,
     projectDAL,
     kmsService,
-    permissionService,
+    permissionService
-    licenseService
+    // licenseService
   });
 
   const certificateTemplateService = certificateTemplateServiceFactory({

docs/documentation/platform/pki/certificates.mdx

@@ -151,18 +151,24 @@ In the following steps, we explore how to revoke a X.509 certificate under a CA
   </Step>
   <Step title="Obtaining a CRL">
     In order to check the revocation status of a certificate, you can check it
-    against the CRL of a CA by selecting the **View CRL** option under the
+    against the CRL of a CA by heading to its Issuing CA and downloading the CRL.
-    issuing CA and downloading the CRL file.
 
     ![pki view crl](/images/platform/pki/ca-crl.png)
 
-    ![pki download crl](/images/platform/pki/ca-crl-modal.png)
-
     To verify a certificate against the
     downloaded CRL with OpenSSL, you can use the following command:
 
 ```bash
 openssl verify -crl_check -CAfile chain.pem -CRLfile crl.pem cert.pem
+```
+
+Note that you can also obtain the CRL from the certificate itself by
+referencing the CRL distribution point extension on the certificate itself.
+
+To check a certificate against the CRL distribution point specified within it with OpenSSL, you can use the following command:
+
+```bash
+openssl verify -verbose -crl_check -crl_download -CAfile chain.pem cert.pem
 ```
 
   </Step>