[Pki-devel] [PATCH] 66 Added cert revocation CLI.

Andrew Wnuk awnuk at redhat.com
Mon Jun 11 23:30:26 UTC 2012 

On 06/11/2012 03:54 PM, Endi Sukma Dewata wrote:
> On 6/10/2012 4:55 PM, Andrew Wnuk wrote:
>> On 06/08/2012 04:56 PM, Nathan Kinder wrote:
>>>> - revoke/hold/release
>>> I like this one. Maybe even "revoke/hold/release-hold"? Plain
>>> "release" doesn't seem very descriptive on it's own. I think
>>> "release-hold" is more clear.
>
> Sounds good. I'll change that in the next patch revision.
>
>> "on-hold" and "off-hold" are just two revocation reason values. Official
>> standard names and values are certificateHold (6) and removeFromCRL (8),
>> so I am fine with additional helper functions/commands (for hold and
>> release/remove) as long as revocation will support all standard values
>> for reason parameter including "certificateHold" and "removeFromCRL".
>>
>> CA provides two step revocation to avoid accidental revocation of
>> incorrect certificates. This is important since revocation operation is
>> irreversible (with one exception) and it is specially important to avoid
>> accidental revocation of CA certificate.
>
> Do you mean the CA Web UI? In the UI you'd have to go through several 
> pages to find & select the certs and enter the revocation 
> date/reason/comments, but you can still change the inputs in the last 
> (confirmation) page, and once you click Submit the certificate will be 
> revoked immediately, so basically it's still a single step operation. 
> Usually a confirmation page shouldn't allow any input change without 
> navigating to another page first.
>
>> I do hope that CLI interface provides secure two step revocation
>> including protection against accidental revocation of CA certificate.
>
> I can change the CLI to ask for a confirmation before executing the 
> operation like this:
>
> % pki cert-revoke 0x8 --reason=KEY_COMPROMISE
> Revoking certificate "0x8".
> Are you sure (Y/N)? Y
> -------------------------
> Revoked certificate "0x8"
> -------------------------
You not really after confirmation but verification, so you need more 
info than just the same serial number.
You want to be sure that you are actually revoking correct certificate, 
so maybe serial number and subject name would be enough.
>
> And for automation/scripting you can suppress the confirmation:
>
> % pki cert-revoke 0x8 --reason=KEY_COMPROMISE --force
> -------------------------
> Revoked certificate "0x8"
> -------------------------
>
> Is this ok? How about the other add/mod/delete commands, should we 
> confirm each operation that changes the database?
>

More information about the Pki-devel mailing list