Support for CRL (Certificate Revocation List) validation in mTLS on IngressRoute

ss_vinoth22 · July 14, 2025, 5:38am

Hi Traefik team,

We're currently using Traefik(v2 and v3) as an Ingress Controller in a secure IoT environment where mTLS is enforced using certificates issued by HashiCorp Vault PKI.

Our setup involves:

Traefik IngressRoute with tls.clientAuth configured
Client certificates provisioned by Vault
Regular certificate revocation via CRL (Certificate Revocation List)

We’ve noticed that Traefik does not currently support checking CRLs, which means revoked client certificates can still authenticate unless we rotate them manually. This is a security concern for long-lived or compromised certificates.

Questions:

Is there a way to configure Traefik to enforce CRL checks?
If not, are there any plans to support loading and verifying CRLs in future releases?

Use case: We need to ensure revoked client certificates are rejected at the ingress layer (preferably without replacing Traefik with NGINX).

Would love to hear if there's a workaround.

bluepuma77 · July 14, 2025, 7:37am

You could open a feature request with the devs at Traefik Github.

Topic		Replies	Views
ClientAuth RequireAndVerifyClientCert not requesting client certificate Traefik v2 kubernetes-crd	3	856	May 7, 2024
TLS client authencation and CRL Traefik v2 docker , tcp	0	843	October 11, 2019
Client Authentication(mTLS) with enforcement is not working Traefik v2 kubernetes-ingress , letsencrypt-acme	4	974	December 3, 2020
mTLS per Kubernetes Ingress Traefik v1 kubernetes-ingress	0	1232	November 29, 2019
No mutual TLS, but client is still present certificate Traefik v2 kubernetes-ingress	2	645	October 18, 2021

Support for CRL (Certificate Revocation List) validation in mTLS on IngressRoute

Related topics