Add require-crl-on-client-cert flag to certificate-authority commands

[Aravind Khasibhatla (akhasibhatla)]

Release Notes

New Features

• Add --require-crl-on-client-certificate flag to confluent iam certificate-authority [ create | update | describe | list ] command to enable CRL validation on client certificates

Checklist

• I have successfully built and used a custom CLI binary, without linter issues from this PR.
• I have clearly specified in the What section below whether this PR applies to Confluent Cloud, Confluent Platform, or both.
• I have verified this PR in Confluent Cloud pre-prod or production environment, if applicable.
• I have verified this PR in Confluent Platform on-premises environment, if applicable.
• I have attached manual CLI verification results or screenshots in the Test & Review section below.
• I have added appropriate CLI integration or unit tests for any new or updated commands and functionality.
• I confirm that this PR introduces no breaking changes or backward compatibility issues.
• I have indicated the potential customer impact if something goes wrong in the Blast Radius section below.
• I have put checkmarks below confirming that the feature associated with this PR is enabled in:
  • Confluent Cloud prod
  • Confluent Cloud stag
  • Confluent Platform
  • Check this box if the feature is enabled for certain organizations only

What

This PR adds support for the new require_crl_on_client_certificate attribute in the Certificate Authority API. This attribute allows users to specify whether CRL (Certificate Revocation List) validation should be required on client certificates.

Applies to: Confluent Cloud only

Blast Radius

Should be minimal. This change is additive only:

• The new flag is optional with a default of false, maintaining backward compatibility
• Existing certificate authority commands continue to work without modification
• No breaking changes to existing CLI behavior

References

• API Minispec: https://github.com/confluentinc/api/blob/b722b224ed2545c8a75b181fc1c0b30c96e11fe8/certificate-authority/minispec.yaml#L131
• API PR: https://github.com/confluentinc/api/pull/2306
• SDK PR: Add require_crl_on_client_certificate field to certificate authority models ccloud-sdk-go-v2#337

Test & Review

Integration Tests

All 12 certificate-authority integration tests pass:

cd ~/code/cli/test
mkdir -p /tmp/coverage
GOCOVERDIR=/tmp/coverage go test -v -run TestCLI/TestIamCertificateAuthority

--- PASS: TestCLI (9.15s)
    --- PASS: TestCLI/TestIamCertificateAuthority (2.90s)
        --- PASS: .../iam_certificate-authority_create_my-ca_...--require-crl-on-client-certificate
        --- PASS: .../iam_certificate-authority_create_my-ca_...--crl-chain_DEF456_--require-crl-on-client-certificate
        --- PASS: .../iam_certificate-authority_delete_op-12345_--force
        --- PASS: .../iam_certificate-authority_delete_op-12345_op-67890
        --- PASS: .../iam_certificate-authority_delete_op-12345_op-54321
        --- PASS: .../iam_certificate-authority_describe_op-12345
        --- PASS: .../iam_certificate-authority_describe_op-12345_-o_json
        --- PASS: .../iam_certificate-authority_update_op-12345_...
        --- PASS: .../iam_certificate-authority_update_op-12345_...--crl-url_example.url
        --- PASS: .../iam_certificate-authority_update_op-12345_...certificate-chain-filename
        --- PASS: .../iam_certificate-authority_list
        --- PASS: .../iam_certificate-authority_list_-o_json
PASS
ok  	github.com/confluentinc/cli/v4/test	10.022s

Manual testing -- default behaviour (require-crl-on-client-cert is not specified and defaulted to be false for backward compatibility)

create

❯ dist/confluent_darwin_arm64_v8.0/confluent iam certificate-authority create provider-1 --description "Creating provider 1"   --certificate-chain "$(cat ~/crl-test/fullchain-bundle.pem)"  --certificate-chain-filename fullchain-bundle.pem
+----------------------------+-------------------------------------------+
| ID                         | op-A3gj                                   |
| Name                       | provider-1                                |
| Description                | Creating provider 1                       |
| Fingerprints               | 5A33DD0C415F95D49F32139E102DA05FFD2B5777, |
|                            | C81842C4471C2C13C7F69C2E98D91AC4F39C980C  |
| Expiration Dates           | 2031-03-05 19:23:17 +0000 UTC,            |
|                            | 2036-03-03 19:21:40 +0000 UTC             |
| Serial Numbers             | 94D38DB308CC70D7,                         |
|                            | EAE9D7EFBDC1FEE0                          |
| Certificate Chain Filename | fullchain-bundle.pem                      |
| Require Client CRL         | false                                     |
+----------------------------+-------------------------------------------+

describe

❯ dist/confluent_darwin_arm64_v8.0/confluent iam certificate-authority   describe op-A3gj
+----------------------------+-------------------------------------------+
| ID                         | op-A3gj                                   |
| Name                       | provider-1                                |
| Description                | Creating provider 1                       |
| Fingerprints               | 5A33DD0C415F95D49F32139E102DA05FFD2B5777, |
|                            | C81842C4471C2C13C7F69C2E98D91AC4F39C980C  |
| Expiration Dates           | 2031-03-05 19:23:17 +0000 UTC,            |
|                            | 2036-03-03 19:21:40 +0000 UTC             |
| Serial Numbers             | 94D38DB308CC70D7,                         |
|                            | EAE9D7EFBDC1FEE0                          |
| Certificate Chain Filename | fullchain-bundle.pem                      |
| Require Client CRL         | false                                     |
+----------------------------+-------------------------------------------+

update

❯ dist/confluent_darwin_arm64_v8.0/confluent iam certificate-authority update op-A3gj --description "Creating provider 1 updated"

+----------------------------+-------------------------------------------+
| ID                         | op-A3gj                                   |
| Name                       | provider-1                                |
| Description                | Creating provider 1 updated               |
| Fingerprints               | 5A33DD0C415F95D49F32139E102DA05FFD2B5777, |
|                            | C81842C4471C2C13C7F69C2E98D91AC4F39C980C  |
| Expiration Dates           | 2031-03-05 19:23:17 +0000 UTC,            |
|                            | 2036-03-03 19:21:40 +0000 UTC             |
| Serial Numbers             | 94D38DB308CC70D7,                         |
|                            | EAE9D7EFBDC1FEE0                          |
| Certificate Chain Filename | fullchain-bundle.pem                      |
| CRL Updated At             | 2026-03-10 05:43:47 +0000 UTC             |
| Require Client CRL         | false                                     |
+----------------------------+-------------------------------------------+

list

❯ dist/confluent_darwin_arm64_v8.0/confluent iam certificate-authority list --output yaml
- id: op-A3gj
  name: provider-1
  description: Creating provider 1
  fingerprints:
    - 5A33DD0C415F95D49F32139E102DA05FFD2B5777
    - C81842C4471C2C13C7F69C2E98D91AC4F39C980C
  expiration_dates:
    - 2031-03-05T19:23:17Z
    - 2036-03-03T19:21:40Z
  serial_numbers:
    - 94D38DB308CC70D7
    - EAE9D7EFBDC1FEE0
  certificate_chain_filename: fullchain-bundle.pem
  require_client_crl: false

delete

❯ dist/confluent_darwin_arm64_v8.0/confluent iam certificate-authority delete op-A3gj       

Are you sure you want to delete certificate authority "op-A3gj"? (y/n): y
Deleted certificate authority "op-A3gj".

Manual testing -- updated behaviour (require-crl-on-client-cert flag added)

create

❯ dist/confluent_darwin_arm64_v8.0/confluent iam certificate-authority create provider-test-crl --description "testing require_crl_on_client_certificate"  --certificate-chain "$(cat ~/crl-test/fullchain-bundle.pem)" --certificate-chain-filename fullchain-bundle.pem --crl-chain "$(cat ~/crl-test/crl/intermediateCA.crl.pem)"  --require-crl-on-client-cert
+----------------------------+-------------------------------------------+
| ID                         | op-VOyq                                   |
| Name                       | provider-test-crl                         |
| Description                | testing                                   |
|                            | require_crl_on_client_certificate         |
| Fingerprints               | 5A33DD0C415F95D49F32139E102DA05FFD2B5777, |
|                            | C81842C4471C2C13C7F69C2E98D91AC4F39C980C  |
| Expiration Dates           | 2031-03-05 19:23:17 +0000 UTC,            |
|                            | 2036-03-03 19:21:40 +0000 UTC             |
| Serial Numbers             | 94D38DB308CC70D7,                         |
|                            | EAE9D7EFBDC1FEE0                          |
| Certificate Chain Filename | fullchain-bundle.pem                      |
| CRL Source                 | LOCAL                                     |
| CRL URL                    | Local file uploaded                       |
| CRL Updated At             | 2026-03-10 05:47:40 +0000 UTC             |
| Require Client CRL         | true                                      |
+----------------------------+-------------------------------------------+

describe

❯ dist/confluent_darwin_arm64_v8.0/confluent iam certificate-authority describe op-VOyq
+----------------------------+-------------------------------------------+
| ID                         | op-VOyq                                   |
| Name                       | provider-test-crl                         |
| Description                | testing                                   |
| Fingerprints               | 5A33DD0C415F95D49F32139E102DA05FFD2B5777, |
|                            | C81842C4471C2C13C7F69C2E98D91AC4F39C980C  |
| Expiration Dates           | 2031-03-05 19:23:17 +0000 UTC,            |
|                            | 2036-03-03 19:21:40 +0000 UTC             |
| Serial Numbers             | 94D38DB308CC70D7,                         |
|                            | EAE9D7EFBDC1FEE0                          |
| Certificate Chain Filename | fullchain-bundle.pem                      |
| CRL Source                 | LOCAL                                     |
| CRL URL                    | Local file uploaded                       |
| CRL Updated At             | 2026-03-10 06:16:29 +0000 UTC             |
| Require Client CRL         | true                                      |
+----------------------------+-------------------------------------------+

update

❯ dist/confluent_darwin_arm64_v8.0/confluent iam certificate-authority update op-VOyq --description "updated" --crl-chain "$(cat ~/crl-test/crl/intermediateCA.crl.pem)"
+----------------------------+-------------------------------------------+
| ID                         | op-VOyq                                   |
| Name                       | provider-test-crl                         |
| Description                | updated                                   |
| Fingerprints               | 5A33DD0C415F95D49F32139E102DA05FFD2B5777, |
|                            | C81842C4471C2C13C7F69C2E98D91AC4F39C980C  |
| Expiration Dates           | 2031-03-05 19:23:17 +0000 UTC,            |
|                            | 2036-03-03 19:21:40 +0000 UTC             |
| Serial Numbers             | 94D38DB308CC70D7,                         |
|                            | EAE9D7EFBDC1FEE0                          |
| Certificate Chain Filename | fullchain-bundle.pem                      |
| CRL Source                 | LOCAL                                     |
| CRL URL                    | Local file uploaded                       |
| CRL Updated At             | 2026-03-10 06:16:29 +0000 UTC             |
| Require Client CRL         | true                                      |
+----------------------------+-------------------------------------------+

❯ dist/confluent_darwin_arm64_v8.0/confluent iam certificate-authority update op-VOyq --description "updated to false" --require-crl-on-client-cert=false --crl-url ""  
+----------------------------+-------------------------------------------+
| ID                         | op-VOyq                                   |
| Name                       | provider-test-crl                         |
| Description                | updated to false                          |
| Fingerprints               | 5A33DD0C415F95D49F32139E102DA05FFD2B5777, |
|                            | C81842C4471C2C13C7F69C2E98D91AC4F39C980C  |
| Expiration Dates           | 2031-03-05 19:23:17 +0000 UTC,            |
|                            | 2036-03-03 19:21:40 +0000 UTC             |
| Serial Numbers             | 94D38DB308CC70D7,                         |
|                            | EAE9D7EFBDC1FEE0                          |
| Certificate Chain Filename | fullchain-bundle.pem                      |
| CRL Updated At             | 2026-03-10 06:21:10 +0000 UTC             |
| Require Client CRL         | false                                     |
+----------------------------+-------------------------------------------+

delete

❯ dist/confluent_darwin_arm64_v8.0/confluent iam certificate-authority delete op-VOyq
Are you sure you want to delete certificate authority "op-VOyq"? (y/n): y
Deleted certificate authority "op-VOyq"

[confluent-cla-assistant]

🎉 All Contributor License Agreements have been signed. Ready to merge.
_{Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.}

[Copilot]

Pull request overview

Adds support in the IAM certificate-authority CLI commands for configuring and displaying the new “require CRL validation on client certificates” setting, aligning CLI behavior/output with the upstream API/SDK changes.

Changes:

• Added --require-crl-on-client-certificate to certificate-authority create (required) and certificate-authority update.
• Extended describe/list output (human + JSON) to include Require CRL On Client Certificate.
• Updated test server handlers and golden fixtures to reflect the new field.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
internal/iam/command_certificate_authority_create.go	Adds the new boolean flag and sends it in the create request (currently marked required).
internal/iam/command_certificate_authority_update.go	Adds the new boolean flag and allows updating it in the update request.
internal/iam/command_certificate_authority.go	Extends the output model + describe/create/update table output to include the new field.
internal/iam/command_certificate_authority_list.go	Extends list output rows to include the new field.
test/test-server/iam_handlers.go	Test server returns/echoes the new field in CA responses.
test/fixtures/output/iam/certificate-authority/*.golden	Updates expected CLI output for create/update/describe/list (human + JSON).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new --require-crl-on-client-certificate update path isn’t covered by the existing IAM certificate-authority integration fixtures (current tests cover other update flags like certificate-chain/crl-url, but not toggling this boolean). Add a test case + golden fixture that runs certificate-authority update ... --require-crl-on-client-certificate[=false|true] and asserts the field changes in the output (and request handling) so regressions in the Flags().Changed(...) logic are caught.

[Jeff Huang (jeffhuang26)]

Only update require-crl-on-client-certificate when user explicitly do it for keep backward compatible. .

[Aravind Khasibhatla (akhasibhatla)]

Confirmed - the update command only updates the field when explicitly specified via cmd.Flags().Changed(), maintaining backward compatibility.

[Aravind Khasibhatla (akhasibhatla)]

Jeff Huang (@jeffhuang26) PTAL when you have a minute today.

[Aravind Khasibhatla (akhasibhatla)]

Integration Test Update

Integration tests for the certificate-authority commands have been verified.

Test Results

$ GOCOVERDIR=/tmp/coverage go test -v -run TestCLI/TestIamCertificateAuthority

--- PASS: TestCLI (2.99s)
    --- PASS: TestCLI/TestIamCertificateAuthority (2.15s)
        --- PASS: TestCLI/TestIamCertificateAuthority/iam_certificate-authority_create_my-ca_...--require-crl-on-client-certificate (0.64s)
        --- PASS: TestCLI/TestIamCertificateAuthority/iam_certificate-authority_create_my-ca_...--crl-chain_DEF456_--require-crl-on-client-certificate (0.13s)
        --- PASS: TestCLI/TestIamCertificateAuthority/iam_certificate-authority_delete_op-12345_--force (0.13s)
        --- PASS: TestCLI/TestIamCertificateAuthority/iam_certificate-authority_delete_op-12345_op-67890 (0.13s)
        --- PASS: TestCLI/TestIamCertificateAuthority/iam_certificate-authority_delete_op-12345_op-54321 (0.14s)
        --- PASS: TestCLI/TestIamCertificateAuthority/iam_certificate-authority_describe_op-12345 (0.14s)
        --- PASS: TestCLI/TestIamCertificateAuthority/iam_certificate-authority_describe_op-12345_-o_json (0.14s)
        --- PASS: TestCLI/TestIamCertificateAuthority/iam_certificate-authority_update_op-12345_--name_... (0.16s)
        --- PASS: TestCLI/TestIamCertificateAuthority/iam_certificate-authority_update_op-12345_--name_...--crl-url_example.url (0.13s)
        --- PASS: TestCLI/TestIamCertificateAuthority/iam_certificate-authority_update_op-12345_...--certificate-chain-filename_certificate-2.pem (0.14s)
        --- PASS: TestCLI/TestIamCertificateAuthority/iam_certificate-authority_list (0.14s)
        --- PASS: TestCLI/TestIamCertificateAuthority/iam_certificate-authority_list_-o_json (0.14s)
PASS
ok  	github.com/confluentinc/cli/v4/test	3.637s

Test Coverage

• All 12 certificate-authority integration tests pass
• Tests cover: create, create with CRL chain, delete, describe, update, list operations
• JSON output format tested for describe and list commands
• New --require-crl-on-client-certificate flag properly validated in create commands

Golden Files

Golden files have been updated to reflect the current table formatting behavior:

• create.golden, create-url-chain.golden
• describe.golden
• list.golden
• update.golden, update-crl-url.golden, update-fail.golden

[Aravind Khasibhatla (akhasibhatla)]

Final Verification After Rebase

Branch has been rebased onto latest main and all integration tests pass.

Test Results (post-rebase)

$ GOCOVERDIR=/tmp/coverage go test -v -run TestCLI/TestIamCertificateAuthority

--- PASS: TestCLI (9.15s)
    --- PASS: TestCLI/TestIamCertificateAuthority (2.90s)
        --- PASS: .../iam_certificate-authority_create_my-ca_...--require-crl-on-client-certificate (1.23s)
        --- PASS: .../iam_certificate-authority_create_my-ca_...--crl-chain_DEF456_--require-crl-on-client-certificate (0.26s)
        --- PASS: .../iam_certificate-authority_delete_op-12345_--force (0.14s)
        --- PASS: .../iam_certificate-authority_delete_op-12345_op-67890 (0.14s)
        --- PASS: .../iam_certificate-authority_delete_op-12345_op-54321 (0.15s)
        --- PASS: .../iam_certificate-authority_describe_op-12345 (0.14s)
        --- PASS: .../iam_certificate-authority_describe_op-12345_-o_json (0.14s)
        --- PASS: .../iam_certificate-authority_update_op-12345_...certificate-2.pem (0.14s)
        --- PASS: .../iam_certificate-authority_update_op-12345_...--crl-url_example.url (0.14s)
        --- PASS: .../iam_certificate-authority_update_op-12345_...certificate-chain-filename_certificate-2.pem (0.14s)
        --- PASS: .../iam_certificate-authority_list (0.14s)
        --- PASS: .../iam_certificate-authority_list_-o_json (0.14s)
PASS
ok  	github.com/confluentinc/cli/v4/test	10.022s

Changes Verified

• --require-crl-on-client-certificate flag added to create command (optional, defaults to false)
• --require-crl-on-client-certificate flag added to update command (only updates when explicitly set)
• New field displayed in describe output (human and JSON formats)
• New field displayed in list output (human and JSON formats)
• All 12 certificate-authority integration tests passing
• Branch rebased onto latest main
• Review comments addressed (flag made optional for backward compatibility)

Ready for final review and merge once SDK PR is merged.

[Aravind Khasibhatla (akhasibhatla)]

Exact Commands Run for Verification

1. Rebase onto main

cd ~/code/cli
git fetch origin main
git stash
git rebase origin/main
git stash pop

2. Run integration tests

cd ~/code/cli/test
mkdir -p /tmp/coverage
GOCOVERDIR=/tmp/coverage go test -v -run TestCLI/TestIamCertificateAuthority

3. Full test output

=== RUN   TestCLI
=== RUN   TestCLI/TestIamCertificateAuthority
=== RUN   TestCLI/TestIamCertificateAuthority/iam_certificate-authority_create_my-ca_--description_"my_certificate_authority"_--certificate-chain_ABC123_--certificate-chain-filename_certificate.pem_--require-crl-on-client-certificate
--- PASS: ...
=== RUN   TestCLI/TestIamCertificateAuthority/iam_certificate-authority_create_my-ca_--description_"my_certificate_authority"_--certificate-chain_ABC123_--certificate-chain-filename_certificate.pem_--crl-chain_DEF456_--require-crl-on-client-certificate
--- PASS: ...
=== RUN   TestCLI/TestIamCertificateAuthority/iam_certificate-authority_delete_op-12345_--force
--- PASS: ...
=== RUN   TestCLI/TestIamCertificateAuthority/iam_certificate-authority_delete_op-12345_op-67890
--- PASS: ...
=== RUN   TestCLI/TestIamCertificateAuthority/iam_certificate-authority_delete_op-12345_op-54321
--- PASS: ...
=== RUN   TestCLI/TestIamCertificateAuthority/iam_certificate-authority_describe_op-12345
--- PASS: ...
=== RUN   TestCLI/TestIamCertificateAuthority/iam_certificate-authority_describe_op-12345_-o_json
--- PASS: ...
=== RUN   TestCLI/TestIamCertificateAuthority/iam_certificate-authority_update_op-12345_--name_"new_name"_--description_"new_description"_--certificate-chain_ABC123_--certificate-chain-filename_certificate-2.pem
--- PASS: ...
=== RUN   TestCLI/TestIamCertificateAuthority/iam_certificate-authority_update_op-12345_--name_"new_name"_--description_"new_description"_--certificate-chain_ABC123_--certificate-chain-filename_certificate-2.pem_--crl-url_example.url
--- PASS: ...
=== RUN   TestCLI/TestIamCertificateAuthority/iam_certificate-authority_update_op-12345_--name_"new_name"_--description_"new_description"_--certificate-chain-filename_certificate-2.pem
--- PASS: ...
=== RUN   TestCLI/TestIamCertificateAuthority/iam_certificate-authority_list
--- PASS: ...
=== RUN   TestCLI/TestIamCertificateAuthority/iam_certificate-authority_list_-o_json
--- PASS: ...

--- PASS: TestCLI (9.15s)
    --- PASS: TestCLI/TestIamCertificateAuthority (2.90s)
PASS
ok  	github.com/confluentinc/cli/v4/test	10.022s

All 12 certificate-authority integration tests pass after rebase.

[Aravind Khasibhatla (akhasibhatla)]

Update Summary

What was done:

1. Rebased onto latest main

   git fetch origin main
   git stash
   git rebase origin/main
   git stash pop

   Branch is now 4 commits ahead of main, 0 behind.

2. Ran integration tests - All 12 certificate-authority tests pass

   cd ~/code/cli/test
   mkdir -p /tmp/coverage
   GOCOVERDIR=/tmp/coverage go test -v -run TestCLI/TestIamCertificateAuthority

3. Addressed review comments

   • Made --require-crl-on-client-certificate optional (defaults to false) for backward compatibility
   • Confirmed update command only modifies field when explicitly set

4. Updated PR description to match standard CLI PR template

---

Remaining Steps

Step	Status	Description
1	⏳	Merge SDK PR #337
2	⏳	Wait for SDK release (new version tag)
3	⏳	Update CLI go.mod - Remove replace directive, run go get github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority@<new-version>
4	⏳	Push go.mod/go.sum changes
5	⏳	Force push rebased branch - git push-external --force-with-lease origin akk-add-require-crl-on-client-certificate
6	⏳	CI passes
7	⏳	Get approval and merge CLI PR

Once SDK PR #337 is merged and released, I'll update the CLI with the released SDK version.

[Cynthia Qin (cqin-confluent)]

Looks good overall! Left a few comments.

Quick question:
I noticed that all the CRL-related fields (CrlSource, CrlUrl, CrlUpdatedAt) use omitempty so they’re hidden when empty, but RequireCrlOnClientCertificate doesn’t and always shows false even for CAs without CRL.

  CrlSource  string `human:"CRL Source,omitempty" serialized:"crl_source,omitempty"`
  CrlUrl     string `human:"CRL URL,omitempty" serialized:"crl_url,omitempty"`
  RequireCrlOnClientCertificate bool `human:"Require CRL On Client Certificate"
  serialized:"require_crl_on_client_certificate"`

Was it intentional to always show this field? For CAs without CRL, displaying false might be noisy. Maybe omitempty is worth considering here (though note that on a bool it hides false, which may or may not be what we want).

[Aravind Khasibhatla (akhasibhatla)]

CynthiaQin - Following up on review feedback, I've made the following changes:

Changes Made

1. Renamed Flag for Brevity

• Before: --require-crl-on-client-certificate
• After: --require-crl-on-client-cert

2. Added New Test Case for UPDATE Operation

{args: "iam certificate-authority update op-12345 --require-crl-on-client-cert=false", fixture: "iam/certificate-authority/update-require-crl.golden"},

Test Results

All 13 certificate-authority integration tests pass:

cd ~/code/cli/test
mkdir -p /tmp/coverage
GOCOVERDIR=/tmp/coverage go test -v -run TestCLI/TestIamCertificateAuthority

Test	Status
CREATE with --require-crl-on-client-cert	✅ PASS
CREATE with CRL chain + --require-crl-on-client-cert	✅ PASS
DELETE (single)	✅ PASS
DELETE (multiple - fail)	✅ PASS
DELETE (multiple - success)	✅ PASS
DESCRIBE	✅ PASS
DESCRIBE (JSON)	✅ PASS
UPDATE (name/description/chain)	✅ PASS
UPDATE (with CRL URL)	✅ PASS
UPDATE with --require-crl-on-client-cert=false	✅ PASS (new)
UPDATE (fail - missing chain)	✅ PASS
LIST	✅ PASS
LIST (JSON)	✅ PASS

Ready for re-review!

[Aravind Khasibhatla (akhasibhatla)]

SDK PR Merged - CLI Updated

SDK PR #337 has been merged.

Changes Made

• Updated go.mod to use SDK version v0.0.3-0.20260304220235-a27d679482e3 from master branch
• Removed local replace directive

Test Results

All 13 certificate-authority integration tests pass with the released SDK:

cd ~/code/cli
go get github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority@master
go mod tidy
cd test
GOCOVERDIR=/tmp/coverage go test -v -run TestCLI/TestIamCertificateAuthority

--- PASS: TestCLI (10.41s)
    --- PASS: TestCLI/TestIamCertificateAuthority (3.06s)
        --- PASS: .../create...--require-crl-on-client-cert (1.24s)
        --- PASS: .../create...--crl-chain...--require-crl-on-client-cert (0.25s)
        --- PASS: .../delete...--force (0.14s)
        --- PASS: .../delete...multiple-fail (0.13s)
        --- PASS: .../delete...multiple-success (0.14s)
        --- PASS: .../describe (0.14s)
        --- PASS: .../describe...-o_json (0.14s)
        --- PASS: .../update...--certificate-chain... (0.16s)
        --- PASS: .../update...--crl-url (0.15s)
        --- PASS: .../update...--require-crl-on-client-cert=false (0.14s)
        --- PASS: .../update-fail (0.14s)
        --- PASS: .../list (0.14s)
        --- PASS: .../list...-o_json (0.14s)
PASS

CI should pass now. Ready for final review!

[Aravind Khasibhatla (akhasibhatla)]

CynthiaQin Apologies for the premature SDK merge - I should have waited for the field rename to be finalized before merging PR #337.

To address this, I've created a follow-up SDK PR to rename the field:

• SDK PR: Rename require_crl_on_client_certificate to require_crl_on_client_cert ccloud-sdk-go-v2#338

This rename aligns the JSON field name (require_crl_on_client_certificate → require_crl_on_client_cert) with the CLI flag --require-crl-on-client-cert.

Once the SDK rename PR is merged, I'll update this CLI PR to use the renamed field and ensure everything stays consistent.