[Pki-devel] [PATCH] 66 Added cert revocation CLI.

Endi Sukma Dewata edewata at redhat.com
Tue Jun 12 00:44:35 UTC 2012 

On 6/11/2012 6:30 PM, Andrew Wnuk wrote:
>>> I do hope that CLI interface provides secure two step revocation
>>> including protection against accidental revocation of CA certificate.
>>
>> I can change the CLI to ask for a confirmation before executing the
>> operation like this:
>>
>> % pki cert-revoke 0x8 --reason=KEY_COMPROMISE
>> Revoking certificate "0x8".
>> Are you sure (Y/N)? Y
>> -------------------------
>> Revoked certificate "0x8"
>> -------------------------

> You not really after confirmation but verification, so you need more
> info than just the same serial number.
> You want to be sure that you are actually revoking correct certificate,
> so maybe serial number and subject name would be enough.

Suppose there is a number of certs with the same subject (I'm not sure 
how common this is), requiring the serial number and the subject name 
might not be much more helpful than requiring the serial number alone. 
How about showing the cert info in the confirmation?

% pki cert-revoke 0x8 --reason=KEY_COMPROMISE
Revoking certificate:
   Serial Number: 0x8
   Issuer: CN=Certificate Authority,O=EXAMPLE-COM
   Subject: UID=testuser,E=testuser at example.com,CN=Test User
   Status: VALID
   Not Before: Mon Jun 11 17:29:44 CDT 2012
   Not After: Sat Dec 08 16:29:44 CST 2012
Are you sure (Y/N)? Y
-------------------------
Revoked certificate "0x8"
-------------------------

In the UI you can search the certs based on other criteria such as 
subject, issuer, validity, etc. In CLI this can be handled by a separate 
cert-find command. Once you get the serial number you can use it to call 
cert-revoke.

If you know exactly the serial number you want to revoke, you can skip 
the cert-find and then call cert-revoke with --force to skip the 
confirmation.

>> Is this ok? How about the other add/mod/delete commands, should we
>> confirm each operation that changes the database?

Same question, do we need to do the same type of 
verification/confirmation for other update operations?

-- 
Endi S. Dewata

More information about the Pki-devel mailing list