[Freeipa-users] revocation of a ssl certificate
Rob Crittenden
rcritten at redhat.com
Thu Mar 19 14:11:15 UTC 2015
Nicolas Zin wrote:
> Hi,
>
> let say that I created a SSL certificate:
> ipa service-add HTTP/www.test.lan
> ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
> ipa-getcert request -r -f /etc/pki/tls/certs/www.test.lan.crt -k /etc/pki/tls/private/www.test.lan.key -N CN=www.test.lan -D www.test.lan -K HTTP/www.test.lan
>
> and I installed it.
>
> If the machine is compromised I would like to revoke it. What shall I do?
>
> I saw you can stop renewing it via
> ipa-getcert stop-tracking -i 20150319132153
That just stops tracking the certificate on the machine. It doesn't
touch the certificate or key or whatever server is using it at all. In
other words, you'd want to stop using this certificate as well.
> and seems to be that I can revoke it via
>
> ipa cert-find
> ipa cert-revoke --revocation-reason=1 0xC
You shouldn't need the cert-find as you can get the serial number from
the certificate on the server and revoke it directly.
> is it sufficient?
Only if revocation is actually verified by clients using either CRL or OCSP.
> I didn't see the /var/lib/ipa/pki-ca/publish/MasterCRL.bin changed. I though I should find the revocated certificate inside this binary file?
> Also, how can I print the content of MasterCRL.bin in a "readable" output?
>
The CRL is generated every 4 hours by default.
# openssl crl -inform der -in /var/lib/ipa/pki-ca/publish/MasterCRL.bin
-text
rob
More information about the Freeipa-users
mailing list