[Puppet - Feature #8278] (Needs More Information) Puppet cert should safeguard itself when revoking.

[tickets]

Issue #8278 has been updated by Nigel Kersten.

Status changed from Accepted to Needs More Information
Assignee set to Ben Hughes

Ben, I can't reproduce this with 2.7.3

I did --revoke --all and serial # 1 didn't get revoked.

<pre>
[root@pe-centos6 ssl]# openssl x509 -text -in ca/ca_crt.pem | grep Serial
        Serial Number: 1 (0x1)
[root@pe-centos6 ssl]# openssl crl -text -in ca/ca_crl.pem | grep Serial
    Serial Number: 02
    Serial Number: 03
    Serial Number: 04
    Serial Number: 05
    Serial Number: 06
    Serial Number: 07
    Serial Number: 08
</pre>


----------------------------------------
Feature #8278: Puppet cert should safeguard itself when revoking.
https://projects.puppetlabs.com/issues/8278

Author: Ben Hughes
Status: Needs More Information
Priority: Normal
Assignee: Ben Hughes
Category: 
Target version: 
Affected Puppet version: 
Keywords: SSL
Branch: 


# Overview #

With puppet cert you're able to revoke certificate 0x0001, which in pretty much 
all cases will be CA itself. puppet cert --clean/--revoke should present an 
error or a warning and require additional confirmation before doing this.

# Expected Behaviour #

Prompting or "--force-me-to-do-something-bad" option.


<pre>
puppetmaster# puppet cert --clean ca.puppetlabs.test
This will remove cert 0x0001 and possible invalidate your CA, are you sure? 
</pre>

# Actual Behaviour #

<pre>
puppetmaster# openssl crl -text -in /var/lib/puppet/ssl/ca/ca_crl.pem
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /CN=ca.puppetlabs.test
        Last Update: Jun 24 17:58:26 2011 GMT
        Next Update: Jun 22 17:58:26 2016 GMT
        CRL extensions:
            X509v3 CRL Number: 
                24
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Jun 14 23:35:06 2011 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Key Compromise
</pre>

# Detail #

This can happen if inventory.txt rolls over too. So we'd need to check the 
serial numbers of the hostnames/CNs that the user specifies.




-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to puppet-bugs@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-bugs+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.