[Puppet - Feature #8278] Puppet cert should safeguard itself when revoking.

Wed, 21 Sep 2011 18:22:26 -0700 

Issue #8278 has been updated by Nigel Kersten.


There isn't really one:

<pre>
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Puppet CA: pe-centos6.localdomain
        Validity
            Not Before: Sep 12 21:09:41 2011 GMT
            Not After : Sep 10 21:09:41 2016 GMT
        Subject: CN=Puppet CA: pe-centos6.localdomain
</pre>
----------------------------------------
Feature #8278: Puppet cert should safeguard itself when revoking.
https://projects.puppetlabs.com/issues/8278

Author: Ben Hughes
Status: Needs More Information
Priority: Normal
Assignee: Ben Hughes
Category: 
Target version: 
Affected Puppet version: 
Keywords: SSL
Branch: 


# Overview #

With puppet cert you're able to revoke certificate 0x0001, which in pretty much 
all cases will be CA itself. puppet cert --clean/--revoke should present an 
error or a warning and require additional confirmation before doing this.

# Expected Behaviour #

Prompting or "--force-me-to-do-something-bad" option.


<pre>
puppetmaster# puppet cert --clean ca.puppetlabs.test
This will remove cert 0x0001 and possible invalidate your CA, are you sure? 
</pre>

# Actual Behaviour #

<pre>
puppetmaster# openssl crl -text -in /var/lib/puppet/ssl/ca/ca_crl.pem
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /CN=ca.puppetlabs.test
        Last Update: Jun 24 17:58:26 2011 GMT
        Next Update: Jun 22 17:58:26 2016 GMT
        CRL extensions:
            X509v3 CRL Number: 
                24
Revoked Certificates:
    Serial Number: 01
        Revocation Date: Jun 14 23:35:06 2011 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code: 
                Key Compromise
</pre>

# Detail #

This can happen if inventory.txt rolls over too. So we'd need to check the 
serial numbers of the hostnames/CNs that the user specifies.




-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

Reply via email to