Certificate revocation for mTLS authentication on Confluent Cloud¶

In Confluent Cloud, mTLS (mutual TLS) authentication supports Certificate Revocation Lists (CRLs) to ensure that client certificates used for authentication are still valid and have not been revoked. Certificate Revocation Lists (CRLs) are mechanisms used to maintain and distribute lists of certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration dates. This ensures that any certificate that is no longer trustworthy, due to reasons such as the certificate being compromised or the certificate being revoked, is flagged and not used for authentication purposes.

When a client certificate is presented during the mTLS handshake, a Confluent Cloud Dedicated cluster checks the CRL to identify whether the presented certificate is listed a revoked certificate. This is crucial for maintaining a secure environment, as it allows administrators to revoke certificates that are compromised or no longer in use.

A CRL can be provided as a URL or a locally uploaded PEM file, and Confluent Cloud parses and validates the CRL accordingly.

Requirements¶

Confluent Cloud supports using a CRL URL or a CRL chain for providing a Certificate Revocation List (CRL) from a Certificate Authority (CA). See the following sections for details.

CRL URL¶

A CRL URL (crl_url) is a manually provided CRL URL or a CRL URL parsed from the certificate chain PEM file provided when configuring a Confluent Cloud Certificate Authority. If found and no CRL was manually provided, the URL parsed from the certificate chain is set as the crl_url.

The crl_url is a string of the publicly accessible URL hosting the certificate revocation list (CRL) you would like to use for this certificate authority. By default, Confluent Cloud refreshes the CRL retrieved from crl_url every 24 hours.

The CRL must meet the following requirements:

Must be a direct CRL, meaning it was issued by the certificate_chain being configured, or in the case of more than one certificate in certificate_chain, issued by one of the certificates on the chain.
Can be DER or PEM format.
Cannot exceed 10 MB file size.
Must be internet media type application/pkix-crl.

CRL chain¶

A CRL chain (crl_chain) is a Base64-encoded string representation of a local PEM formatted CRL to use as the Certificate Authority CRL.

Locally uploading the CRL is an alternative to providing a URL intended for organizations that do not have a public endpoint for their CRL. To manually update the crl_chain for a Confluent Cloud Certificate Authority, use the PUT /iam/v2/certificate-authorities/{id} API endpoint.

The CRL chain (crl_chain) must meet the following requirements:

Must be a direct CRL, issued by the certificate_chain being configured (or in the case of more than one certificate in certificate_chain, issued by one of the certificates in the chain).
Must be in PEM format. If your CRL file extension ends in .crl in DER format, you must convert it to PEM format by using the following command:
```
openssl crl -in <your-der-format-crl.crl> -inform DER -out crl.pem
```
Cannot exceed 10 MB file size.

Configure a CRL¶

To configure a CRL for a Confluent Cloud Certificate Authority, you can use the following methods:

When you create a certificate authority, you can optionally configure a CRL. If you do not specify a CRL URL or CRL chain when creating a CA, you can configure a CRL URL or CRL chain later, or override the CRL URL in the PEM file by following these steps:

In the Confluent Cloud Console, go to Account & access, then click Workload identities. Alternatively, click https://confluent.cloud/settings/org/workload-identities.
Click the name of the certificate authority you want to configure. The Certificate Authority details page displays.
Click the Edit button.
To update the CRL option, use of the following options:
- If you have a PEM file that contains the CRL, you can delete the existing CRL URL or CRL chain and upload the PEM file.
- To add a CRL file or override the CRL URL in the PEM file, upload your CRL file or enter the URL into the CRL URL field.
Note: The Confluent Cloud Console validates the CRL file and, if an indirect CRL is detected, displays the following error message: Unable to validate provider values.
Save your changes.

To configure a CRL using the Confluent CLI, use the confluent iam ca update command. For example:

confluent iam certificate-authority update <ca-id> --crl-url <crl-url>

To configure a CRL using the REST API, you can use the PUT /iam/v2/certificate-authorities/{id} API endpoint.

For example, to configure a CRL for a Confluent Cloud Certificate Authority with the ID ca-abc123, you can use the following request:

PUT /iam/v2/certificate-authorities/ca-abc123
{
   "crl_url": "https://example.com/crl.pem"
}

This request sets the crl_url to https://example.com/crl.pem for the Confluent Cloud Certificate Authority with the ID ca-abc123.

To manually update the crl_chain for a Confluent Cloud Certificate Authority, use the PUT /iam/v2/certificate-authorities/{id} API endpoint.

For example, to configure a CRL Chain (crl_chain) for a Confluent Cloud Certificate Authority with the ID ca-abc123, you can use the following request:

PUT /iam/v2/certificate-authorities/ca-abc123
{
   "crl_chain": "-----BEGIN CRL-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu7z+3+5\n-----END CRL-----"
}

This request sets the crl_chain to the Base64-encoded string representation of the local PEM formatted CRL for the Confluent Cloud Certificate Authority with the ID ca-abc123.

CRL behavior¶

If the client uses a client certificate found in the list of revoked certificates in the optionally configured CRL, then authentication will fail. The end user experience is that the Kafka connection will end in a timed out error.

When the CRL is added or updated, all existing and new client connections are checked against the CRL.