On Fri, 13 Sep 2019, Jakob Schürz wrote: > Hi there! > > What am I doing wrong? > > I created a ssh-certificate > > id_user_rsa-cert.pub with this dump: > > id_user_rsa-cert.pub: > root@host # ssh-keygen -Lf id_user_rsa-cert.pub > Type: ssh-rsa-cert-v01@xxxxxxxxxxx user certificate > Public key: RSA-CERT SHA256:kPitwgxblaUH4viBoFoozSPq9Pblubbedk > Signing CA: ED25519 SHA256:8p2foobarQo3Tfcblubb5+I5cboeckvpnktiHdUs > Key ID: "test@myhost.mydomain.example" > Serial: 18 > Valid: from 2019-07-29T02:08:00 to 2020-07-28T02:09:43 > Principals: > test > Critical Options: (none) > Extensions: > permit-X11-forwarding > permit-agent-forwarding > permit-port-forwarding > permit-pty > permit-user-rc > > > Now i try to revoke this certificate with > > ssh-keygen -s ../user_ca.pub -kf /etc/ssh/revoked_keys -z 17 > id_user_rsa-cert.pub > > The serial is 1 less the serial of my created certificate > > Check, if my certificate is valid > > root@host # ssh-keygen -Qf /etc/ssh/revoked_keys id_user_rsa-cert.pub > id_user_rsa-cert.pub (test on myhost - created by ansible (1564358942)): > REVOKED > > Why? I thougt, when i use -s <Serialnumber> only this specific > certificate for a pubkey is revoked... If you compile krl.c with -DDEBUG_KRL=1 then you can get some extra debugging that might show what is going on. You'll probably need to add -vvv to ssh-keygen's flags too. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
