Problems revoking a cert
Michael Wojcik
Michael.Wojcik at microfocus.com
Mon Feb 24 17:08:08 UTC 2020
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Michael Leone
> Sent: Monday, February 24, 2020 09:37
> SO I was an idiot, and signed a certificate, but specified an invalid location. i.e.,
> I used a "/" instead of a "/" in the location.
I assume that was supposed to be 'a "\" instead of a "/"', based on what you have below.
> $ sudo openssl ca -in requests/<client>.req -out certs\<client>-2020-02-24.<FQDN>
>
> And so I can't find that cert file anywhere (obviously).
That's not obvious at all. The backslash just escapes the first character of <client> for the shell (assuming root's shell isn't something very idiosyncratic), so the file should just be named
certs<client>-2020-02-4.<FQDN>
(substituting the appropriate strings), and should be in the directory containing the requests and certs directories. Since you ran openssl as root (which wouldn't be my choice, but whatever), write permission to the directory shouldn't have been a problem.
> So I'd like to revoke it, so that I can re-sign it properly. But whenever I go to
> revoke it, I have nothing to use an input to the revoke functionality.
Does your CA configuration not have a new_certs_dir? Normally it will create a copy of the certificate there, under the serial number.
> I know the serial number of the wrongly issued cert, I had hoped I could revoke
> using just the serial number. But searches tell me I can't do it that way.
Well, you *can*, by editing the CA's index.txt file directly. You can create and revoke a test certificate to see what the altered line should look like. (It will start with "R" instead of "V", and have a revocation date. Fields are separated by tabs.)
--
Michael Wojcik
Distinguished Engineer, Micro Focus
More information about the openssl-users
mailing list