confluentinc · Aravind Khasibhatla (akhasibhatla) · Mar 3, 2026 · Mar 3, 2026 · Mar 3, 2026 · Mar 4, 2026
@@ -23,7 +23,7 @@ require (
 	github.com/confluentinc/ccloud-sdk-go-v2/ccl v0.4.0
 	github.com/confluentinc/ccloud-sdk-go-v2/ccpm v0.0.1
 	github.com/confluentinc/ccloud-sdk-go-v2/cdx v0.0.5
-	github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.2
+	github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.3
 	github.com/confluentinc/ccloud-sdk-go-v2/cli v0.3.0
 	github.com/confluentinc/ccloud-sdk-go-v2/cmk v0.25.0
 	github.com/confluentinc/ccloud-sdk-go-v2/connect v0.7.0

@@ -204,8 +204,8 @@ github.com/confluentinc/ccloud-sdk-go-v2/ccpm v0.0.1 h1:q++EceNVxARLSE5J9FO3Vbp9
 github.com/confluentinc/ccloud-sdk-go-v2/ccpm v0.0.1/go.mod h1:toZWg8FVpQZ/80az0XTB4Fv22E5HJtEiMXxt4rU1JoI=
 github.com/confluentinc/ccloud-sdk-go-v2/cdx v0.0.5 h1:w0Z2hFxg8ng8gycWKRZFdus1R+q8D/I5AmN06NZso5s=
 github.com/confluentinc/ccloud-sdk-go-v2/cdx v0.0.5/go.mod h1:L8U9xs2duASJnjIYkwGrSbZNpApsbh+vlxsJlZMHJPA=
-github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.2 h1:stsiO1JIRX6ITdw4DCsidQ0w7uhsyKDsYXwzxvi14GI=
-github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.2/go.mod h1:OU1RGuP2y5l54jX5rA++QBAKeRvSa7GmkfNgJvB9J6M=
+github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.3 h1:jagGRDqY/ZYKaU7Rv9rz5ynMGxNoX7f9TQ/RsbvmJPw=
+github.com/confluentinc/ccloud-sdk-go-v2/certificate-authority v0.0.3/go.mod h1:Lt0BOSolRuMvnaV+aASN8KlPpkLl6+TNQKiqJosGaws=
 github.com/confluentinc/ccloud-sdk-go-v2/cli v0.3.0 h1:OOFNqtZN3Spuzz4TX6K6JfDM7zNDIE6BE1TtK78jFHQ=
 github.com/confluentinc/ccloud-sdk-go-v2/cli v0.3.0/go.mod h1:Mv0WTsBXUfKjmF+r2t2Dv/xJzZf17shhf5J1cttU2Qo=
 github.com/confluentinc/ccloud-sdk-go-v2/cmk v0.25.0 h1:EdZzQZ4SI5q+f0DQPjH3lWpygz1wYz7IE0K62Mv06bY=

@@ -16,16 +16,17 @@ type certificateAuthorityCommand struct {
 }
 
 type certificateAuthorityOut struct {
-	Id                       string      `human:"ID" serialized:"id"`
-	Name                     string      `human:"Name" serialized:"name"`
-	Description              string      `human:"Description" serialized:"description"`
-	Fingerprints             []string    `human:"Fingerprints" serialized:"fingerprints"`
-	ExpirationDates          []time.Time `human:"Expiration Dates" serialized:"expiration_dates"`
-	SerialNumbers            []string    `human:"Serial Numbers" serialized:"serial_numbers"`
-	CertificateChainFilename string      `human:"Certificate Chain Filename" serialized:"certificate_chain_filename"`
-	CrlSource                string      `human:"CRL Source,omitempty" serialized:"crl_source,omitempty"`
-	CrlUrl                   string      `human:"CRL URL,omitempty" serialized:"crl_url,omitempty"`
-	CrlUpdatedAt             *time.Time  `human:"CRL Updated At,omitempty" serialized:"crl_updated_at,omitempty"`
+	Id                            string      `human:"ID" serialized:"id"`
+	Name                          string      `human:"Name" serialized:"name"`
+	Description                   string      `human:"Description" serialized:"description"`
+	Fingerprints                  []string    `human:"Fingerprints" serialized:"fingerprints"`
+	ExpirationDates               []time.Time `human:"Expiration Dates" serialized:"expiration_dates"`
+	SerialNumbers                 []string    `human:"Serial Numbers" serialized:"serial_numbers"`
+	CertificateChainFilename      string      `human:"Certificate Chain Filename" serialized:"certificate_chain_filename"`
+	CrlSource                     string      `human:"CRL Source,omitempty" serialized:"crl_source,omitempty"`
+	CrlUrl                        string      `human:"CRL URL,omitempty" serialized:"crl_url,omitempty"`
+	CrlUpdatedAt                  *time.Time  `human:"CRL Updated At,omitempty" serialized:"crl_updated_at,omitempty"`
+	RequireCrlOnClientCertificate bool        `human:"Require Client CRL" serialized:"require_client_crl"`
 }
 
 func newCertificateAuthorityCommand(prerunner pcmd.PreRunner) *cobra.Command {
@@ -49,16 +50,17 @@ func newCertificateAuthorityCommand(prerunner pcmd.PreRunner) *cobra.Command {
 func printCertificateAuthority(cmd *cobra.Command, certificateAuthority certificateauthorityv2.IamV2CertificateAuthority) error {
 	table := output.NewTable(cmd)
 	table.Add(&certificateAuthorityOut{
-		Id:                       certificateAuthority.GetId(),
-		Name:                     certificateAuthority.GetDisplayName(),
-		Description:              certificateAuthority.GetDescription(),
-		Fingerprints:             certificateAuthority.GetFingerprints(),
-		ExpirationDates:          certificateAuthority.GetExpirationDates(),
-		SerialNumbers:            certificateAuthority.GetSerialNumbers(),
-		CertificateChainFilename: certificateAuthority.GetCertificateChainFilename(),
-		CrlSource:                certificateAuthority.GetCrlSource(),
-		CrlUrl:                   certificateAuthority.GetCrlUrl(),
-		CrlUpdatedAt:             certificateAuthority.CrlUpdatedAt,
+		Id:                            certificateAuthority.GetId(),
+		Name:                          certificateAuthority.GetDisplayName(),
+		Description:                   certificateAuthority.GetDescription(),
+		Fingerprints:                  certificateAuthority.GetFingerprints(),
+		ExpirationDates:               certificateAuthority.GetExpirationDates(),
+		SerialNumbers:                 certificateAuthority.GetSerialNumbers(),
+		CertificateChainFilename:      certificateAuthority.GetCertificateChainFilename(),
+		CrlSource:                     certificateAuthority.GetCrlSource(),
+		CrlUrl:                        certificateAuthority.GetCrlUrl(),
+		CrlUpdatedAt:                  certificateAuthority.CrlUpdatedAt,
+		RequireCrlOnClientCertificate: certificateAuthority.GetRequireCrlOnClientCertificate(),
 	})
 	return table.Print()
 }

@@ -49,6 +49,7 @@ X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
 	cmd.Flags().String("certificate-chain-filename", "", "The name of the certificate file.")
 	cmd.Flags().String("crl-url", "", "The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority.")
 	cmd.Flags().String("crl-chain", "", "A base64 encoded string containing the CRL for this certificate authority.")
+	cmd.Flags().Bool("require-client-crl", false, "Whether to require CRL validation on client certificates.")
 	pcmd.AddContextFlag(cmd, c.CLICommand)
 	pcmd.AddOutputFlag(cmd)
 
@@ -85,13 +86,19 @@ func (c *certificateAuthorityCommand) create(cmd *cobra.Command, args []string)
 		return err
 	}
 
+	requireCrlOnClientCertificate, err := cmd.Flags().GetBool("require-client-crl")
+	if err != nil {
+		return err
+	}
+
 	certRequest := certificateauthorityv2.IamV2CreateCertRequest{
-		DisplayName:              certificateauthorityv2.PtrString(args[0]),
-		Description:              certificateauthorityv2.PtrString(description),
-		CertificateChain:         certificateauthorityv2.PtrString(certificateChain),
-		CertificateChainFilename: certificateauthorityv2.PtrString(certificateChainFilename),
-		CrlUrl:                   certificateauthorityv2.PtrString(crlUrl),
-		CrlChain:                 certificateauthorityv2.PtrString(crlChain),
+		DisplayName:                   certificateauthorityv2.PtrString(args[0]),
+		Description:                   certificateauthorityv2.PtrString(description),
+		CertificateChain:              certificateauthorityv2.PtrString(certificateChain),
+		CertificateChainFilename:      certificateauthorityv2.PtrString(certificateChainFilename),
+		CrlUrl:                        certificateauthorityv2.PtrString(crlUrl),
+		CrlChain:                      certificateauthorityv2.PtrString(crlChain),
+		RequireCrlOnClientCertificate: certificateauthorityv2.PtrBool(requireCrlOnClientCertificate),
 	}
 
 	certificateAuthority, err := c.V2Client.CreateCertificateAuthority(certRequest)

@@ -30,16 +30,17 @@ func (c *certificateAuthorityCommand) list(cmd *cobra.Command, _ []string) error
 	list := output.NewList(cmd)
 	for _, certificateAuthority := range certificateAuthorities {
 		list.Add(&certificateAuthorityOut{
-			Id:                       certificateAuthority.GetId(),
-			Name:                     certificateAuthority.GetDisplayName(),
-			Description:              certificateAuthority.GetDescription(),
-			Fingerprints:             certificateAuthority.GetFingerprints(),
-			ExpirationDates:          certificateAuthority.GetExpirationDates(),
-			SerialNumbers:            certificateAuthority.GetSerialNumbers(),
-			CertificateChainFilename: certificateAuthority.GetCertificateChainFilename(),
-			CrlSource:                certificateAuthority.GetCrlSource(),
-			CrlUrl:                   certificateAuthority.GetCrlUrl(),
-			CrlUpdatedAt:             certificateAuthority.CrlUpdatedAt,
+			Id:                            certificateAuthority.GetId(),
+			Name:                          certificateAuthority.GetDisplayName(),
+			Description:                   certificateAuthority.GetDescription(),
+			Fingerprints:                  certificateAuthority.GetFingerprints(),
+			ExpirationDates:               certificateAuthority.GetExpirationDates(),
+			SerialNumbers:                 certificateAuthority.GetSerialNumbers(),
+			CertificateChainFilename:      certificateAuthority.GetCertificateChainFilename(),
+			CrlSource:                     certificateAuthority.GetCrlSource(),
+			CrlUrl:                        certificateAuthority.GetCrlUrl(),
+			CrlUpdatedAt:                  certificateAuthority.CrlUpdatedAt,
+			RequireCrlOnClientCertificate: certificateAuthority.GetRequireCrlOnClientCertificate(),
 		})
 	}
 	return list.Print()

@@ -30,6 +30,7 @@ func (c *certificateAuthorityCommand) newUpdateCommand() *cobra.Command {
 	cmd.Flags().String("certificate-chain-filename", "", "The name of the certificate file.")
 	cmd.Flags().String("crl-url", "", "The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority.")
 	cmd.Flags().String("crl-chain", "", "A base64 encoded string containing the CRL for this certificate authority.")
+	cmd.Flags().Bool("require-client-crl", false, "Whether to require CRL validation on client certificates.")
 	pcmd.AddContextFlag(cmd, c.CLICommand)
 	pcmd.AddOutputFlag(cmd)
 
@@ -46,11 +47,12 @@ func (c *certificateAuthorityCommand) update(cmd *cobra.Command, args []string)
 	}
 
 	update := certificateauthorityv2.IamV2UpdateCertRequest{
-		Id:                       certificateauthorityv2.PtrString(args[0]),
-		DisplayName:              currentCertificateAuthority.DisplayName,
-		Description:              currentCertificateAuthority.Description,
-		CertificateChainFilename: currentCertificateAuthority.CertificateChainFilename,
-		CrlUrl:                   currentCertificateAuthority.CrlUrl,
+		Id:                            certificateauthorityv2.PtrString(args[0]),
+		DisplayName:                   currentCertificateAuthority.DisplayName,
+		Description:                   currentCertificateAuthority.Description,
+		CertificateChainFilename:      currentCertificateAuthority.CertificateChainFilename,
+		CrlUrl:                        currentCertificateAuthority.CrlUrl,
+		RequireCrlOnClientCertificate: currentCertificateAuthority.RequireCrlOnClientCertificate,
 	}
 	if cmd.Flags().Changed("name") {
 		name, err := cmd.Flags().GetString("name")
@@ -93,6 +95,13 @@ func (c *certificateAuthorityCommand) update(cmd *cobra.Command, args []string)
 		}
 		update.CrlChain = certificateauthorityv2.PtrString(crlChain)
 	}
+	if cmd.Flags().Changed("require-client-crl") {
+		requireCrlOnClientCertificate, err := cmd.Flags().GetBool("require-client-crl")
+		if err != nil {
+			return err
+		}
+		update.RequireCrlOnClientCertificate = certificateauthorityv2.PtrBool(requireCrlOnClientCertificate)
+	}
 
 	certificateAuthority, err := c.V2Client.UpdateCertificateAuthority(update)
 	if err != nil {

@@ -8,4 +8,5 @@
 | Certificate Chain Filename | certificate.pem                          |
 | CRL Source                 | LOCAL                                    |
 | CRL Updated At             | 2024-07-21 17:32:28 +0000 UTC            |
+| Require Client CRL         | true                                     |
 +----------------------------+------------------------------------------+
@@ -6,4 +6,5 @@
 | Expiration Dates           | 2017-07-21 17:32:28 +0000 UTC            |
 | Serial Numbers             | 219C542DE8f6EC7177FA4EE8C3705797         |
 | Certificate Chain Filename | certificate.pem                          |
+| Require Client CRL         | true                                     |
 +----------------------------+------------------------------------------+
@@ -0,0 +1,5 @@
+op-12345	my-ca
+op-54321	my-ca-2
+op-67890	my-ca-3
+:4
+Completion ended with directive: ShellCompDirectiveNoFileComp
@@ -5,5 +5,6 @@
   "fingerprints": ["B1BC968BD4f49D622AA89A81F2150152A41D829C"],
   "expiration_dates": ["2017-07-21T17:32:28Z"],
   "serial_numbers": ["219C542DE8f6EC7177FA4EE8C3705797"],
-  "certificate_chain_filename": "certificate.pem"
+  "certificate_chain_filename": "certificate.pem",
+  "require_client_crl": true
 }
@@ -6,4 +6,5 @@
 | Expiration Dates           | 2017-07-21 17:32:28 +0000 UTC            |
 | Serial Numbers             | 219C542DE8f6EC7177FA4EE8C3705797         |
 | Certificate Chain Filename | certificate.pem                          |
+| Require Client CRL         | true                                     |
 +----------------------------+------------------------------------------+
@@ -6,7 +6,8 @@
     "fingerprints": ["B1BC968BD4f49D622AA89A81F2150152A41D829C"],
     "expiration_dates": ["2017-07-21T17:32:28Z"],
     "serial_numbers": ["219C542DE8f6EC7177FA4EE8C3705797"],
-    "certificate_chain_filename": "certificate.pem"
+    "certificate_chain_filename": "certificate.pem",
+    "require_client_crl": true
   },
   {
     "id": "op-54321",
@@ -17,7 +18,8 @@
     "serial_numbers": ["219C542DE8f6EC7177FA4EE8C3705797"],
     "certificate_chain_filename": "certificate-2.pem",
     "crl_source": "LOCAL",
-    "crl_updated_at": "2024-07-21T17:32:28Z"
+    "crl_updated_at": "2024-07-21T17:32:28Z",
+    "require_client_crl": false
   },
   {
     "id": "op-67890",
@@ -29,6 +31,7 @@
     "certificate_chain_filename": "certificate-3.pem",
     "crl_source": "URL",
     "crl_url": "example.url",
-    "crl_updated_at": "2024-07-21T17:32:28Z"
+    "crl_updated_at": "2024-07-21T17:32:28Z",
+    "require_client_crl": true
   }
 ]
@@ -1,5 +1,5 @@
-     ID    |  Name   |          Description           |               Fingerprints               |       Expiration Dates        |          Serial Numbers          | Certificate Chain Filename | CRL Source |   CRL URL   |        CRL Updated At          
------------+---------+--------------------------------+------------------------------------------+-------------------------------+----------------------------------+----------------------------+------------+-------------+--------------------------------
-  op-12345 | my-ca   | my certificate authority       | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate.pem            |            |             |                                
-  op-54321 | my-ca-2 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-2.pem          | LOCAL      |             | 2024-07-21 17:32:28 +0000 UTC  
-  op-67890 | my-ca-3 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-3.pem          | URL        | example.url | 2024-07-21 17:32:28 +0000 UTC  
+     ID    |  Name   |          Description           |               Fingerprints               |       Expiration Dates        |          Serial Numbers          | Certificate Chain Filename | CRL Source |   CRL URL   |        CRL Updated At         | Require Client CRL
+-----------+---------+--------------------------------+------------------------------------------+-------------------------------+----------------------------------+----------------------------+------------+-------------+-------------------------------+--------------------
+  op-12345 | my-ca   | my certificate authority       | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate.pem            |            |             |                               | true
+  op-54321 | my-ca-2 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-2.pem          | LOCAL      |             | 2024-07-21 17:32:28 +0000 UTC | false
+  op-67890 | my-ca-3 | my other certificate authority | B1BC968BD4f49D622AA89A81F2150152A41D829C | 2017-07-21 17:32:28 +0000 UTC | 219C542DE8f6EC7177FA4EE8C3705797 | certificate-3.pem          | URL        | example.url | 2024-07-21 17:32:28 +0000 UTC | true
@@ -9,4 +9,5 @@
 | CRL Source                 | URL                                      |
 | CRL URL                    | example.url                              |
 | CRL Updated At             | 2024-07-21 17:32:28 +0000 UTC            |
+| Require Client CRL         | true                                     |
 +----------------------------+------------------------------------------+
@@ -14,6 +14,7 @@ Flags:
       --certificate-chain-filename string   The name of the certificate file.
       --crl-url string                      The URL from which to fetch the CRL (Certificate Revocation List) for the certificate authority.
       --crl-chain string                    A base64 encoded string containing the CRL for this certificate authority.
+      --require-client-crl          Whether to require CRL validation on client certificates.
       --context string                      CLI context name.
   -o, --output string                       Specify the output format as "human", "json", or "yaml". (default "human")
 

@@ -0,0 +1,10 @@
++----------------------------+------------------------------------------+
+| ID                         | op-12345                                 |
+| Name                       | my-ca                                    |
+| Description                | my certificate authority                 |
+| Fingerprints               | B1BC968BD4f49D622AA89A81F2150152A41D829C |
+| Expiration Dates           | 2017-07-21 17:32:28 +0000 UTC            |
+| Serial Numbers             | 219C542DE8f6EC7177FA4EE8C3705797         |
+| Certificate Chain Filename | certificate.pem                          |
+| Require Client CRL         | false                                    |
++----------------------------+------------------------------------------+
@@ -6,4 +6,5 @@
 | Expiration Dates           | 2017-07-21 17:32:28 +0000 UTC            |
 | Serial Numbers             | 219C542DE8f6EC7177FA4EE8C3705797         |
 | Certificate Chain Filename | certificate-2.pem                        |
+| Require Client CRL         | true                                     |
 +----------------------------+------------------------------------------+