[Freeipa-users] revocation of a ssl certificate
Nicolas Zin
nicolas.zin at savoirfairelinux.com
Thu Mar 19 13:44:54 UTC 2015
Hi,
let say that I created a SSL certificate:
ipa service-add HTTP/www.test.lan
ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
ipa-getcert request -r -f /etc/pki/tls/certs/www.test.lan.crt -k /etc/pki/tls/private/www.test.lan.key -N CN=www.test.lan -D www.test.lan -K HTTP/www.test.lan
and I installed it.
If the machine is compromised I would like to revoke it. What shall I do?
I saw you can stop renewing it via
ipa-getcert stop-tracking -i 20150319132153
and seems to be that I can revoke it via
ipa cert-find
ipa cert-revoke --revocation-reason=1 0xC
is it sufficient?
I didn't see the /var/lib/ipa/pki-ca/publish/MasterCRL.bin changed. I though I should find the revocated certificate inside this binary file?
Also, how can I print the content of MasterCRL.bin in a "readable" output?
Regards,
Nicolas Zin
PS: I have to confess that I don't master CRL and OCSP.
More information about the Freeipa-users
mailing list