Revert test and add documentation

serverless-ca · Mar 17, 2024 · fa0f996 · fa0f996
1 parent 92c125e
commit fa0f996
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 6 deletions.
diff --git a/docs/faq.md b/docs/faq.md
@@ -77,3 +77,6 @@ To specify both client and server authentication extensions:
 "purposes": ["client_auth", "server_auth"],
 ```
 If `purposes` isn't specified, the certificate will only include the client authentication extension.
+
+### How can I change CRL lifetime?
+The default setting for CRL lifetime of 1 day should be appropriate for most use cases. However, the Issuing CRL lifetime, Root CRL lifetime, and publication frequency can be adjusted as detailed in [Revocation](revocation.md#crl-lifetime).
diff --git a/docs/revocation.md b/docs/revocation.md
@@ -18,10 +18,6 @@ Applying Terraform will result in:
 ## CRL location
 CRL locations are detailed in [CA Cert Locations](locations.md)
 
-## CRL publication frequency
-* CRLs are published once every 24 hours by default
-* CRLs can be published manually by executing the CA Step Function
-
 ## Enable certificate revocation
 CRLs are always published, however the ability to revoke a certificate needs to be enabled. If you followed the [Getting Started](getting-started.md) guide, you'll already have done this:
 * add a subdirectory to your repository with the same name as the value of the Terraform variable `env`, e.g. `dev`, `prd`
@@ -47,3 +43,19 @@ add files and subdirectory following the [rsa-public-crl example](../examples/rs
 ```
 * run the pipeline
 * wait up to 24 hours, or manually execute the CA Step Function
+
+## CRL publication frequency
+To avoid certificate validation errors, it's essential that the CRL publication interval is less than, or equal to, the CRL lifetime. This ensures there is always a valid CRL at any time.
+* CRLs are published once every 24 hours by default
+* CRLs can be published manually by executing the CA Step Function
+* Issuing CA and Root CA CRLs are publised at the same time
+* Publication frequency can be changed using the Terraform variable `schedule_expression`
+* Generally there should be no need to change this value from the default
+
+## CRL lifetime
+To avoid certificate validation errors, it's essential that the CRL lifetime is equal to, or greater than, the publication interval. This ensures there is always a valid CRL at any time.
+* Issuing CA CRL lifetime can be adjusted using the Terraform variables `issuing_crl_days` and `issuing_crl_seconds`
+* `issuing_crl_days` should normally be identical to the interval configured in `schedule_expression`
+* `issuing_crl_seconds` is an additional time period used as an overlap in case of clock skew
+* Similarly, Root CA CRL lifetime can be adjusted using the Terraform variables `root_crl_days` and `root_crl_seconds`
+ * Generally there should be no need to change these values from their defaults
diff --git a/examples/rsa-public-crl/ca.tf b/examples/rsa-public-crl/ca.tf
@@ -10,7 +10,6 @@ module "certificate_authority" {
   issuing_ca_info     = local.issuing_ca_info
   root_ca_info        = local.root_ca_info
   issuing_ca_key_spec = "RSA_4096"
-  issuing_crl_days    = 2 # temporary test
   root_ca_key_spec    = "RSA_4096"
   public_crl          = true
   cert_info_files     = ["tls", "revoked", "revoked-root-ca"]

diff --git a/variables.tf b/variables.tf
@@ -187,7 +187,7 @@ variable "s3_aws_principals" {
 }
 
 variable "schedule_expression" {
-  description = "Step function schedule in cron format, interval must be less than CRL lifetime"
+  description = "Step function schedule in cron format, interval should normally be the same as issuing_crl_days"
   default     = "cron(15 8 * * ? *)" # 8.15 a.m. daily
 }