Thank you for the explanation. I will read the docs from my root ca again what exactly happens.
-------- Ursprüngliche Nachricht -------- Am 20.10.24 15:57 um Oliver Welter - mail at oliwel.de schrieb <mail_at_oliwel_de_zjhngnx...@simplelogin.co>: > Hi Marko, > > I am confused....revoking a certificate does not change the certificate > itself, revocation information is an "external" status information that > is usually distributed to the communication parties using a CRL or > OCSP. It might be the case that your CA tool adds some textual > metadata in the files but this is nothing which is read by OpenXPKI, we > just parse the PEM encoded data and strip anything else around. > > The identifier in OpenXPKI is the digest of the certificate body, you > should not get the same hash for another certificate which also > indicates to me that your "revoked" certifcate file and the "original" > are just the same one with regards to the PEM encoded certificate. > > OpenXPKI holds the revocation info as a field in the database next to > the cert, you can update this using `openxpkicli --realm myrealm > import_certificate` with the update and revoked flag (see perldoc > OpenXPKI::Server::API2::Plugin::Cert::import_certificate). > > best regards > > Oli > > > On 20.10.24 12:23, openxpki.p9abw--- via OpenXPKI-users wrote: > > Hi Oliver > > Good to know. > > > > > > Topic "metadata": > > I created a intermediate certificate with my offline computer with my root > ca and imported it. Openxpki shows the following data: > > > > ------------- > > Certificate Serial > > d639df36930e93607eb2a83b378675ce > > > > > > Certificate Identifier > > 7LgtOek-y16Jr2rmgHHwwE0K09k > > > > not before > > 2024-10-16 22:28:26 UTC > > not after > > 2034-10-14 22:28:26 UTC > > > > Status > > Issued > > ------- > > > > Then I revoked it with my root ca and tried to import the new "revoked" > certificate, but it doesn't work. OpenxPKI says that it already exists and > show me the old identifier of the old "unrevoked" certificate. So I tried to > delete it. > > > > ------------------------- > > > > root@pki:~# openxpkiadm certificate remove --name > "7LgtOek-y16Jr2rmgHHwwE0K09k" --force > > Successfully deleted certificate 7LgtOek-y16Jr2rmgHHwwE0K09k (identifier: > 7LgtOek-y16Jr2rmgHHwwE0K09k) from database. > > > > root@pki:~# openxpkiadm certificate remove --name > "7LgtOek-y16Jr2rmgHHwwE0K09k" --force > > Certificate 7LgtOek-y16Jr2rmgHHwwE0K09k (identifier: > 7LgtOek-y16Jr2rmgHHwwE0K09k) not found in database. > > > > ------------------------------- > > > > The old certificate can't be found via cli or webui anymore. So import the > new revoked certificate which also has a different serial number > (87:aa:fe:e2:be:52:4e:ba:7d:01:ce:02:8b:01:e3:33), but it always brings the > old up. > > > > -------------- > > openxpkiadm certificate import --file first_realm_new.crt (i checked the > file 100 times. its the new one) > > Starting import > > Successfully imported certificate into database: > > Subject: CN=MS Intermediate CA,O=MS > > Issuer: CN=MS Root CA,O=MasterSign > > Identifier: 7LgtOek-y16Jr2rmgHHwwE0K09k > > Realm: none > > > > > > ---- > > > > > > its again the old identifier and if I look at the webui for this > identifier I get the old certificate with the old serial number. > > > > I'm really really confused about this. > > > > > > > > > > Oliver Welter - mail at oliwel.de > <mail_at_oliwel_de_zjhngnx...@simplelogin.co> schrieb am Samstag, 19. Oktober > 2024 um 19:00: > > > >> Hi Marko, > >> > >> the certificate handling part of the openxpkiadm command is known to be > >> broken, we are building a new CLI which will hopefully be available at > >> least in a beta state with the next release. > >> > >> I dont understand what you mean with "metadata" - you can not change a > >> certificates validity without changing the cert - what kind of cert is > >> this and how is it used? There are several commands for certificate > >> management using the "openxpkicli" interface via the API that might be > >> helpful, or the fast way is to just use SQL... > >> > >> Oliver > >> > >> On 19.10.24 16:51, openxpki.p9abw--- via OpenXPKI-users wrote: > >> > >>> Heho > >>> I'm pretty new to openxpki an ran into a little problem. > >>> > >>> Ref: > https://github.com/openxpki/openxpki/issues/920#issuecomment-2423776202 > >>> > >>> If I try to remove a certificate I get the following output: > >>> ----------- > >>> openxpkiadm certificate remove --name 7LgtOek-y16Jr3rmgHHwwE0K08k > --debug 128 > >>> [DEBUG] New session of type 'Memory' created > >>> I18N_OPENXPKI_SERVER_CONTEXT_CTX_OBJECT_NOT_DEFINED > >>> OBJECT: session > >>> --------- > >>> With --force I can remove the certificate, but it doesn't get removed > completely. So if I re-import the invoked certificate then it shows the old > metadata (instead expire 2024, it shows 2034) > >>> > >>> I can't really understand how to fix this. Is it a possible > configuration error? > >>> > >>> Greetings > >>> Marko > >>> > >>> Debian Bookworm > >>> Version (core): 3.30.3 > >>> > >>> _______________________________________________ > >>> OpenXPKI-users mailing list > >>> OpenXPKI-users@lists.sourceforge.net > >>> https://lists.sourceforge.net/lists/listinfo/openxpki-users > >> -- > >> Protect your environment - close windows and adopt a penguin! > >> > >> _______________________________________________ > >> OpenXPKI-users mailing list > >> OpenXPKI-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > >> > >> > >> _______________________________________________ > >> OpenXPKI-users mailing list > >> OpenXPKI-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > > -- > Protect your environment - close windows and adopt a penguin! > > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
publickey - mail@marko-eckert.net - 0xDA11BC46.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
