Workload Identity Revocations
The revocations mechanism provides a way to mark an issued X509 workload identity credential as revoked - indicating to workloads that this credential should no longer be considered valid.
Typically, the short-lived nature of the X509 SVIDs issued by Teleport Workload Identity means that revocations are not required. However, in some cases, you may still desire to revoke an issued credential prior to its expiry.
When an X509 SVID is revoked, a signed Certificate Revocation List will be
distributed to workloads via the Workload API or via a svid-crl.pem file
written to a workload-identity-x509 output.
Workloads and third party services must have explicit support for CRLs to support them. Support for this functionality can be limited in some environments, so it is recommended to audit the support for CRLs prior to leveraging this feature.
Using tctl to revoke an X509 SVID
Before revoking an X509 SVID, you must have the serial number of the X509 SVID that you wish to revoke. This can be determined via the Teleport audit log.
When creating a revocation, you will also need to provide a reason for the revocation. This is a free-form string that can be used to provide additional context for the revocation.
Use tctl workload-identity revocations add to create a new revocation:
tctl workload-identity revocations add --type x509 --serial aabbcc11 --reason compromised
Using tctl to list revocations
You can list the currently revoked X509 SVIDs using the tctl workload-identity revocations ls command:
tctl workload-identity revocations lsType Serial Revoked At Expires At Reason---- -------- -------------------- --------------------------------- -------x509 aabbcc11 2025-02-20T11:44:13Z 2025-02-27T11:44:13Z (34m21s) example
Using tctl to remove a revocation
You can remove an existing revocation using the tctl workload-identity revocations rm command:
tctl workload-identity revocations rm --type x509 --serial aabbcc11
However, typically it is preferred to issue a new X509 SVID rather than remove a revocation. This is because validators may cache revocations and this may mean that the removal of the revocation will not be immediately effective.
Using tctl to fetch the signed CRL
If you need to export the signed CRL to import it to a third-party service
(e.g. AWS Roles Anywhere), then you can use the
tctl workload-identity revocations crl command:
tctl workload-identity revocations crl2025-02-27T10:54:02.526Z INFO Received CRL from server common/workload_identity_command.go:435-----BEGIN X509 CRL-----MIIChjCCAW4CAQEwDQYJKoZIhvcNAQELBQAwajEaMBgGA1UEChMRbGVhZi50ZWxlLm90dHIuc2gxGjAYBgNVBAMTEWxlYWYudGVsZS5vdHRyLnNoMTAwLgYDVQQFEyczMjkxOTYyMDc1Mjg4MDE2Nzg5Nzk4NTgyNDM3NjY0NjM3MTMxNjgYDzAwMDEwMTAxMDAwMDAwWjCBqDAWAgUAqrvM7hcNMjUwMjIwMTE0MTM1WjAWAgUAqrvM/xcNMjUwMjIwMTE0MzUyWjAWAgUAqrvMERcNMjUwMjIwMTE0NDEzWjAWAgUAqrvMIhcNMjUwMjIwMTE0NjAxWjAWAgUAqrvMRBcNMjUwMjIxMTQ1OTA0WjAWAgUAqrvMZhcNMjUwMjI1MTEwNzQ3WjAWAgUAqrvM3RcNMjUwMjIwMTEzOTM0WqAyMDAwHwYDVR0jBBgwFoAUS90sNZrJbUnpDq144QcC1Ifqvi8wDQYDVR0UBAYCBGfARCwwDQYJKoZIhvcNAQELBQADggEBABPjnKBtXLq/gA79zSXJlN4ownSJsedEXhrM/04Cxn+VrzVInnIRTttBD/uTrjJnLzvLTdD7z9SrrM3hNsPkR4zoSy9io7u/G08jK3+IBoXzDcf32ca89z6xomSC1mo5q3ijMqDj7xZC1i6RcQbNtzXc5+aD3Hd3MgmFf7K9IvwmCX7kugD76N8zUDMKJPgHttuvl1oYoY2k+jvp3Lu5wjTcLWEuqZOWHImY9ZYx3fmXNjgjnDfxtFJEdB/d5SoDzpGXC394eeRmFml77+L0XfZmbmcXE00sRBi0Xr5MAa1PGjw/wS9a4QIDGaj2VG6k+CY1GIeBW0qTwuRt4qvW8Nk=-----END X509 CRL-----
To directly write this to a file, you can provide the --out flag and a path
to which to write the file.