Problems revoking a cert

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems revoking a cert

Michael Leone
SO I was an idiot, and signed a certificate, but specified an invalid location. i.e., I used a "/" instead of a "/" in the location.

$ sudo openssl ca -in requests/<client>.req -out certs\<client>-2020-02-24.<FQDN>

And so I can't find that cert file anywhere (obviously). So I'd like to revoke it, so that I can re-sign it properly. But whenever I go to revoke it, I have nothing to use an input to the revoke functionality.

I know the serial number of the wrongly issued cert, I had hoped I could revoke using just the serial number. But searches tell me I can't do it that way.

So what can I do now? (short of asking for another request file, I mean - I can't resign the existing one, openssl tells me that a cert already exists. And I don't think I can just insert the bad cert serial number in the CRL, right? To "effectively" revoke it, so I can resign, properly?).

Thanks
--

Mike. Leone, <mailto:[hidden email]>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...
Reply | Threaded
Open this post in threaded view
|

RE: Problems revoking a cert

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of Michael Leone
> Sent: Monday, February 24, 2020 09:37

> SO I was an idiot, and signed a certificate, but specified an invalid location. i.e.,
> I used a "/" instead of a "/" in the location.

I assume that was supposed to be 'a "\" instead of a "/"', based on what you have below.

> $ sudo openssl ca -in requests/<client>.req -out certs\<client>-2020-02-24.<FQDN>
>
> And so I can't find that cert file anywhere (obviously).

That's not obvious at all. The backslash just escapes the first character of <client> for the shell (assuming root's shell isn't something very idiosyncratic), so the file should just be named

   certs<client>-2020-02-4.<FQDN>

(substituting the appropriate strings), and should be in the directory containing the requests and certs directories. Since you ran openssl as root (which wouldn't be my choice, but whatever), write permission to the directory shouldn't have been a problem.

> So I'd like to revoke it, so that I can re-sign it properly. But whenever I go to
> revoke it, I have nothing to use an input to the revoke functionality.

Does your CA configuration not have a new_certs_dir? Normally it will create a copy of the certificate there, under the serial number.

> I know the serial number of the wrongly issued cert, I had hoped I could revoke
> using just the serial number. But searches tell me I can't do it that way.

Well, you *can*, by editing the CA's index.txt file directly. You can create and revoke a test certificate to see what the altered line should look like. (It will start with "R" instead of "V", and have a revocation date. Fields are separated by tabs.)

--
Michael Wojcik
Distinguished Engineer, Micro Focus


Reply | Threaded
Open this post in threaded view
|

Re: Problems revoking a cert

Michael Leone
On Mon, Feb 24, 2020 at 12:09 PM Michael Wojcik <[hidden email]> wrote:
> From: openssl-users [mailto:[hidden email]] On Behalf Of Michael Leone
> Sent: Monday, February 24, 2020 09:37

> SO I was an idiot, and signed a certificate, but specified an invalid location. i.e.,
> I used a "/" instead of a "/" in the location.

I assume that was supposed to be 'a "\" instead of a "/"', based on what you have below.

Yes, I had it backwards. And I was able to find the file, and properly revoke it, after sending my initial email. I just haven't had time to go back and tell the list.
 

> $ sudo openssl ca -in requests/<client>.req -out certs\<client>-2020-02-24.<FQDN>
>
> And so I can't find that cert file anywhere (obviously).

That's not obvious at all.

I meant - obviously it's not in the subdirectory I thought it would be in ...

 
Does your CA configuration not have a new_certs_dir? Normally it will create a copy of the certificate there, under the serial number.

> I know the serial number of the wrongly issued cert, I had hoped I could revoke
> using just the serial number. But searches tell me I can't do it that way.

Well, you *can*, by editing the CA's index.txt file directly. You can create and revoke a test certificate to see what the altered line should look like. (It will start with "R" instead of "V", and have a revocation date. Fields are separated by tabs.)

Interesting. Thanks.