Hi there! What am I doing wrong? I created a ssh-certificate id_user_rsa-cert.pub with this dump: id_user_rsa-cert.pub: root@host # ssh-keygen -Lf id_user_rsa-cert.pub Type: ssh-rsa-cert-v01@xxxxxxxxxxx user certificate Public key: RSA-CERT SHA256:kPitwgxblaUH4viBoFoozSPq9Pblubbedk Signing CA: ED25519 SHA256:8p2foobarQo3Tfcblubb5+I5cboeckvpnktiHdUs Key ID: "test@myhost.mydomain.example" Serial: 18 Valid: from 2019-07-29T02:08:00 to 2020-07-28T02:09:43 Principals: test Critical Options: (none) Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc Now i try to revoke this certificate with ssh-keygen -s ../user_ca.pub -kf /etc/ssh/revoked_keys -z 17 id_user_rsa-cert.pub The serial is 1 less the serial of my created certificate Check, if my certificate is valid root@host # ssh-keygen -Qf /etc/ssh/revoked_keys id_user_rsa-cert.pub id_user_rsa-cert.pub (test on myhost - created by ansible (1564358942)): REVOKED Why? I thougt, when i use -s <Serialnumber> only this specific certificate for a pubkey is revoked... jakob -- lore ipsum _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
