[Pki-devel] [PATCH] 66 Added cert revocation CLI.

Endi Sukma Dewata edewata at redhat.com
Mon Jun 11 22:54:15 UTC 2012 

On 6/10/2012 4:55 PM, Andrew Wnuk wrote:
> On 06/08/2012 04:56 PM, Nathan Kinder wrote:
>>> - revoke/hold/release
>> I like this one. Maybe even "revoke/hold/release-hold"? Plain
>> "release" doesn't seem very descriptive on it's own. I think
>> "release-hold" is more clear.

Sounds good. I'll change that in the next patch revision.

> "on-hold" and "off-hold" are just two revocation reason values. Official
> standard names and values are certificateHold (6) and removeFromCRL (8),
> so I am fine with additional helper functions/commands (for hold and
> release/remove) as long as revocation will support all standard values
> for reason parameter including "certificateHold" and "removeFromCRL".
>
> CA provides two step revocation to avoid accidental revocation of
> incorrect certificates. This is important since revocation operation is
> irreversible (with one exception) and it is specially important to avoid
> accidental revocation of CA certificate.

Do you mean the CA Web UI? In the UI you'd have to go through several 
pages to find & select the certs and enter the revocation 
date/reason/comments, but you can still change the inputs in the last 
(confirmation) page, and once you click Submit the certificate will be 
revoked immediately, so basically it's still a single step operation. 
Usually a confirmation page shouldn't allow any input change without 
navigating to another page first.

> I do hope that CLI interface provides secure two step revocation
> including protection against accidental revocation of CA certificate.

I can change the CLI to ask for a confirmation before executing the 
operation like this:

% pki cert-revoke 0x8 --reason=KEY_COMPROMISE
Revoking certificate "0x8".
Are you sure (Y/N)? Y
-------------------------
Revoked certificate "0x8"
-------------------------

And for automation/scripting you can suppress the confirmation:

% pki cert-revoke 0x8 --reason=KEY_COMPROMISE --force
-------------------------
Revoked certificate "0x8"
-------------------------

Is this ok? How about the other add/mod/delete commands, should we 
confirm each operation that changes the database?

-- 
Endi S. Dewata

More information about the Pki-devel mailing list