Skip to content

crypto/x509: add ability to reload root certificatesΒ #41888

@dtoubelis

Description

@dtoubelis

Problem description:

As it can be seen on this line, root certificates loaded only once during the lifetime of the application -

once.Do(initSystemRoots)

This creates a problem when new root certificates are added. In our case, it happens on a regular basis when clients add intermediate/root certificates to the system via a separate component and then all other components that run in separate processes are expected to make use of them. This is currently not possible.

Workaround:

We are currently re-implemented Root Certificate loading logic by cutting and pasting the code from this library into our codebase and create our own certPool() for every request that requires the ca-chain refresh.

Proposed solutions:

  1. Add ReloadRootCertificates() call and call it as needed - backward compatible but still the source of gotchas.
  2. Do not use the global state and singleton and parse the certificate chain on each request - may have an unexpected performance impact.
  3. Make the method for creating the root certificate pool public.
  4. Add root certificate cache expiry timeout that can go all the way to 0 triggering cert chain reload on each request.

Metadata

Metadata

Assignees

No one assigned

    Labels

    FeatureRequestIssues asking for a new feature that does not need a proposal.NeedsDecisionFeedback is required from experts, contributors, and/or the community before a change can be made.Proposal-CryptoProposal related to crypto packages or other security issues

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions