[Pki-devel] [PATCH] 66 Added cert revocation CLI.

Andrew Wnuk awnuk at redhat.com
Tue Jun 12 18:16:46 UTC 2012 

On 06/11/2012 05:44 PM, Endi Sukma Dewata wrote:
> On 6/11/2012 6:30 PM, Andrew Wnuk wrote:
>>>> I do hope that CLI interface provides secure two step revocation
>>>> including protection against accidental revocation of CA certificate.
>>>
>>> I can change the CLI to ask for a confirmation before executing the
>>> operation like this:
>>>
>>> % pki cert-revoke 0x8 --reason=KEY_COMPROMISE
>>> Revoking certificate "0x8".
>>> Are you sure (Y/N)? Y
>>> -------------------------
>>> Revoked certificate "0x8"
>>> -------------------------
>
>> You not really after confirmation but verification, so you need more
>> info than just the same serial number.
>> You want to be sure that you are actually revoking correct certificate,
>> so maybe serial number and subject name would be enough.
>
> Suppose there is a number of certs with the same subject (I'm not sure 
> how common this is), requiring the serial number and the subject name 
> might not be much more helpful than requiring the serial number alone. 
> How about showing the cert info in the confirmation?
>
> % pki cert-revoke 0x8 --reason=KEY_COMPROMISE
> Revoking certificate:
>   Serial Number: 0x8
>   Issuer: CN=Certificate Authority,O=EXAMPLE-COM
>   Subject: UID=testuser,E=testuser at example.com,CN=Test User
>   Status: VALID
>   Not Before: Mon Jun 11 17:29:44 CDT 2012
>   Not After: Sat Dec 08 16:29:44 CST 2012
> Are you sure (Y/N)? Y
> -------------------------
> Revoked certificate "0x8"
> -------------------------
>
> In the UI you can search the certs based on other criteria such as 
> subject, issuer, validity, etc. In CLI this can be handled by a 
> separate cert-find command. Once you get the serial number you can use 
> it to call cert-revoke.
>
> If you know exactly the serial number you want to revoke, you can skip 
> the cert-find and then call cert-revoke with --force to skip the 
> confirmation.
You should create separate command to handle CA certificate revocation 
or at least add additional parameter to confirm forcing of CA 
certificate revocation.
>
>>> Is this ok? How about the other add/mod/delete commands, should we
>>> confirm each operation that changes the database?
>
> Same question, do we need to do the same type of 
> verification/confirmation for other update operations?
>

More information about the Pki-devel mailing list