Nicolas Zin wrote:
> Hi,
> let say that I created a SSL certificate:
> ipa service-add HTTP/www.test.lan
> ipa service-add-host --hosts=ipa-server.test.lan HTTP/www.test.lan
> ipa-getcert request -r -f /etc/pki/tls/certs/www.test.lan.crt -k 
> /etc/pki/tls/private/www.test.lan.key -N CN=www.test.lan -D www.test.lan -K 
> HTTP/www.test.lan
> and I installed it.
> If the machine is compromised I would like to revoke it. What shall I do?
> I saw you can stop renewing it via 
> ipa-getcert stop-tracking -i 20150319132153

That just stops tracking the certificate on the machine. It doesn't
touch the certificate or key or whatever server is using it at all. In
other words, you'd want to stop using this certificate as well.

> and seems to be that I can revoke it via
> ipa cert-find
> ipa cert-revoke --revocation-reason=1 0xC

You shouldn't need the cert-find as you can get the serial number from
the certificate on the server and revoke it directly.

> is it sufficient?

Only if revocation is actually verified by clients using either CRL or OCSP.

> I didn't see the /var/lib/ipa/pki-ca/publish/MasterCRL.bin changed. I though 
> I should find the revocated certificate inside this binary file?
> Also, how can I print the content of MasterCRL.bin in a "readable" output?

The CRL is generated every 4 hours by default.

# openssl crl -inform der -in /var/lib/ipa/pki-ca/publish/MasterCRL.bin


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to