On Mon, 16 Sep 2019, Jakob Schürz wrote: > Hi Daminan! > > Hmmm... thought about a little... > > when i use -vvv with ssh-keygen -Qf i see "debug1:..." So i think, debug > is compiled in. debugging is compiled in generally, but the the recipe I mentioned turns on extra KRL debugging. > ssh-keygen --help gives me > > ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ... > > so... option -z is not the serial of the certificate, it is the > version-number of the KRL-File... oops, yes. > My openssh-Verision from Debian is 1:7.4p1-10+deb9u7. Maybe, this > openssh-version does not support revoking a certificate by it's > serialnumber. It almost certainly does, but you'd need to use a KRL specification file. See the "KEY REVOCATION LISTS" section in the ssh-keygen manpage. > This leads me to the next question... The serial-number of > a certificate is uniq over all certificates, or is it allowed, to > increment serial-numbers for each certificate separate? How is the design? what goes in the serial number is totally up to the CA. OpenSSH doesn't make any authentication decisions based on it - it's in the certificate mostly to allow very compact revocation lists. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
