From 911a73767f61d073cb851e37a0a730d3f63580a5 Mon Sep 17 00:00:00 2001
From: Steve Clark <steven.clark@hashicorp.com>
Date: Mon, 3 Oct 2022 09:30:49 -0400
Subject: [PATCH 1/2] PKI: Do not load revoked certificates if CRL has been
 disabled

 - Restore the prior behavior of not reading in all revoked certificates
   if the CRL has been disabled as there might be performance issues
   if a customer had or is still revoking a lot of certificates.
---
 builtin/logical/pki/crl_util.go | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go
index 0744690a8bd2..777fe4479451 100644
--- a/builtin/logical/pki/crl_util.go
+++ b/builtin/logical/pki/crl_util.go
@@ -828,13 +828,19 @@ func buildAnyCRLs(sc *storageContext, forceNew bool, isDelta bool) error {
 		}
 	}
 
-	// Next, we load and parse all revoked certificates. We need to assign
-	// these certificates to an issuer. Some certificates will not be
-	// assignable (if they were issued by a since-deleted issuer), so we need
-	// a separate pool for those.
-	unassignedCerts, revokedCertsMap, err := getRevokedCertEntries(sc, issuerIDCertMap, isDelta)
-	if err != nil {
-		return fmt.Errorf("error building CRLs: unable to get revoked certificate entries: %v", err)
+	var unassignedCerts []pkix.RevokedCertificate
+	var revokedCertsMap map[issuerID][]pkix.RevokedCertificate
+
+	// If the CRL is disabled do not bother reading in all the revoked certificates.
+	if !globalCRLConfig.Disable {
+		// Next, we load and parse all revoked certificates. We need to assign
+		// these certificates to an issuer. Some certificates will not be
+		// assignable (if they were issued by a since-deleted issuer), so we need
+		// a separate pool for those.
+		unassignedCerts, revokedCertsMap, err = getRevokedCertEntries(sc, issuerIDCertMap, isDelta)
+		if err != nil {
+			return fmt.Errorf("error building CRLs: unable to get revoked certificate entries: %v", err)
+		}
 	}
 
 	if err := augmentWithRevokedIssuers(issuerIDEntryMap, issuerIDCertMap, revokedCertsMap); err != nil {

From d144fac9d5106c1e869660022a6445bc9aa09566 Mon Sep 17 00:00:00 2001
From: Steve Clark <steven.clark@hashicorp.com>
Date: Mon, 3 Oct 2022 09:37:22 -0400
Subject: [PATCH 2/2] Add cl

---
 changelog/17385.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelog/17385.txt

diff --git a/changelog/17385.txt b/changelog/17385.txt
new file mode 100644
index 000000000000..a6a8749ff98f
--- /dev/null
+++ b/changelog/17385.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: Do not read revoked certificates from backend when CRL is disabled
+```