let say that I created a SSL certificate:
ipa service-add HTTP/www.test.lan
ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
ipa-getcert request -r -f /etc/pki/tls/certs/www.test.lan.crt -k 
/etc/pki/tls/private/www.test.lan.key -N CN=www.test.lan -D www.test.lan -K 

and I installed it.

If the machine is compromised I would like to revoke it. What shall I do?

I saw you can stop renewing it via 
ipa-getcert stop-tracking -i 20150319132153

and seems to be that I can revoke it via

ipa cert-find
ipa cert-revoke --revocation-reason=1 0xC

is it sufficient?

I didn't see the /var/lib/ipa/pki-ca/publish/MasterCRL.bin changed. I though I 
should find the revocated certificate inside this binary file?
Also, how can I print the content of MasterCRL.bin in a "readable" output?


Nicolas Zin

PS: I have to confess that I don't master CRL and OCSP.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to