RE: Problems revoking a cert

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Michael Leone
> Sent: Monday, February 24, 2020 09:37

> SO I was an idiot, and signed a certificate, but specified an invalid location. i.e.,
> I used a "/" instead of a "/" in the location.

I assume that was supposed to be 'a "\" instead of a "/"', based on what you have below.

> $ sudo openssl ca -in requests/<client>.req -out certs\<client>-2020-02-24.<FQDN>
>
> And so I can't find that cert file anywhere (obviously).

That's not obvious at all. The backslash just escapes the first character of <client> for the shell (assuming root's shell isn't something very idiosyncratic), so the file should just be named

   certs<client>-2020-02-4.<FQDN>

(substituting the appropriate strings), and should be in the directory containing the requests and certs directories. Since you ran openssl as root (which wouldn't be my choice, but whatever), write permission to the directory shouldn't have been a problem.

> So I'd like to revoke it, so that I can re-sign it properly. But whenever I go to
> revoke it, I have nothing to use an input to the revoke functionality.

Does your CA configuration not have a new_certs_dir? Normally it will create a copy of the certificate there, under the serial number.

> I know the serial number of the wrongly issued cert, I had hoped I could revoke
> using just the serial number. But searches tell me I can't do it that way.

Well, you *can*, by editing the CA's index.txt file directly. You can create and revoke a test certificate to see what the altered line should look like. (It will start with "R" instead of "V", and have a revocation date. Fields are separated by tabs.)

--
Michael Wojcik
Distinguished Engineer, Micro Focus






[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux