Gateways, mTLS, & certificate revocation

When configuring a Secure Gateway (SDS) and associated -credential secret, is there any way to handle client certificate revocation in istio? It seems that Envoy supports the configuration of a CRL but I don’t see any way to achieve this in the Istio docs. If a CRL isn’t supported is there any mechanism that Istio can be configured with that would check for revoked certs?

CRL is not supported in Istio yet: during TLS, a sidecar in Istio will check whether the certificate is expired but will not check whether it is revoked.

Thank you for the confirmation.

does anyone know when external CRL will it be supported?

You can raise a feature request in the istio github Also I will record and help you escalate your request to the corresponding team

There are already 2 issues for the same.