Issue #8278 has been updated by Charlie Sharpsteen. Keywords changed from SSL to SSL customer
---------------------------------------- Feature #8278: Puppet cert should safeguard itself when revoking. https://projects.puppetlabs.com/issues/8278#change-88627 * Author: Ben Hughes * Status: Rejected * Priority: Normal * Assignee: Ben Hughes * Category: SSL * Target version: * Affected Puppet version: * Keywords: SSL customer * Branch: ---------------------------------------- # Overview # With puppet cert you're able to revoke certificate 0x0001, which in pretty much all cases will be CA itself. puppet cert --clean/--revoke should present an error or a warning and require additional confirmation before doing this. # Expected Behaviour # Prompting or "--force-me-to-do-something-bad" option. <pre> puppetmaster# puppet cert --clean ca.puppetlabs.test This will remove cert 0x0001 and possible invalidate your CA, are you sure? </pre> # Actual Behaviour # <pre> puppetmaster# openssl crl -text -in /var/lib/puppet/ssl/ca/ca_crl.pem Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /CN=ca.puppetlabs.test Last Update: Jun 24 17:58:26 2011 GMT Next Update: Jun 22 17:58:26 2016 GMT CRL extensions: X509v3 CRL Number: 24 Revoked Certificates: Serial Number: 01 Revocation Date: Jun 14 23:35:06 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: Key Compromise </pre> # Detail # This can happen if inventory.txt rolls over too. So we'd need to check the serial numbers of the hostnames/CNs that the user specifies. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
