Handling client certificate compromise/revocation (MTLS)

I have been looking at the tls-full example for MTLS configuration (and have got it working end to end with Temporal running on EKS).

I have a client CA configured the server via “clientCaFiles” but am wondering what is the best approach to handle client certificates that are compromised.

I’m thinking of the case where developers can each have their own client cert signed by the intermediate engineering CA (as opposed to a shared developer namespace cert) and a laptop gets stolen.

I believe you’d have to re-issue all certs under the CA (unless there is some other way to revoke individual certificates).

Is there a way to revoke an individual cert or support for CRL? I’m not an expert but I imagine there is some complexity in supporting that.

Alternatively, is it possible to add individual end-entity certs to “clientCaFiles”? I tried but it didn’t work. (I didn’t try adding a certificate list/chain with the full chain of trust. AWS API GW MTLS seems to support adding end user certs this way, I believe, so I was wondering if Temporal may also support that.)


Hi Liam,

My apologies for the late response. Unfortunately, we are heading in a direction of only allowing rooted CA’s and providing mechanisms to match against client certificates and distinguished names.

In addition, we are not supporting CRL or OCSP.

Best Regards,